Backpatch fix for buffer overrun in parsing refcursor parameters to

Neil Conway · Neil Conway · commit 9eeeb9809ed1 · 2005-01-27T01:52:34.000Z
REL7_2_STABLE.
diff --git a/src/pl/plpgsql/src/gram.y b/src/pl/plpgsql/src/gram.y
@@ -4,7 +4,7 @@
  *						  procedural language
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.29.2.1 2002/05/21 18:50:18 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.29.2.2 2005/01/27 01:52:34 neilc Exp $
  *
  *	  This software is copyrighted by Jan Wieck - Hamburg.
  *
@@ -476,6 +476,10 @@ decl_cursor_arglist : decl_cursor_arg
 					{
 						int i = $1->nfields++;
 
+						/* Guard against overflowing the array on malicious input */
+						if (i >= 1024)
+							yyerror("too many parameters specified for refcursor");
+
 						$1->fieldnames[i] = $3->refname;
 						$1->varnos[i] = $3->varno;
 

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`* procedural language`
`5`	`5`	`*`
`6`	`6`	`* IDENTIFICATION`
`7`		`- * $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.29.2.1 2002/05/21 18:50:18 tgl Exp $`
	`7`	`+ * $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.29.2.2 2005/01/27 01:52:34 neilc Exp $`
`8`	`8`	`*`
`9`	`9`	`* This software is copyrighted by Jan Wieck - Hamburg.`
`10`	`10`	`*`
`@@ -476,6 +476,10 @@ decl_cursor_arglist : decl_cursor_arg`
`476`	`476`	`{`
`477`	`477`	`int i = $1->nfields++;`
`478`	`478`
	`479`	`+ /* Guard against overflowing the array on malicious input */`
	`480`	`+ if (i >= 1024)`
	`481`	`+ yyerror("too many parameters specified for refcursor");`
	`482`	`+`
`479`	`483`	`$1->fieldnames[i] = $3->refname;`
`480`	`484`	`$1->varnos[i] = $3->varno;`
`481`	`485`