Fix overflow in parsing of positional parameter

petere · petere · commit d35cd0619984 · 2024-07-02T09:29:26.000+02:00
Replace atol with pg_strtoint32_safe in the backend parser and with strtoint in ECPG to reject overflows when parsing the number of a positional parameter. With atol from glibc, parameters $2147483648 and $4294967297 turn into $-2147483648 and $1, respectively. Author: Erik Wienhold <ewie@ewie.name> Reviewed-by: Michael Paquier <michael@paquier.xyz> Reviewed-by: Peter Eisentraut <peter@eisentraut.org> Reviewed-by: Alexander Lakhin <exclusion@gmail.com> Discussion: https://www.postgresql.org/message-id/flat/5d216d1c-91f6-4cbe-95e2-b4cbd930520c@ewie.name
diff --git a/src/backend/parser/scan.l b/src/backend/parser/scan.l
@@ -992,8 +992,14 @@ other			.
 				}
 
 {param}			{
+					ErrorSaveContext escontext = {T_ErrorSaveContext};
+					int32		val;
+
 					SET_YYLLOC();
-					yylval->ival = atol(yytext + 1);
+					val = pg_strtoint32_safe(yytext + 1, (Node *) &escontext);
+					if (escontext.error_occurred)
+						yyerror("parameter number too large");
+					yylval->ival = val;
 					return PARAM;
 				}
 {param_junk}	{
diff --git a/src/interfaces/ecpg/preproc/pgc.l b/src/interfaces/ecpg/preproc/pgc.l
@@ -938,7 +938,13 @@ cppline			{space}*#([^i][A-Za-z]*|{if}|{ifdef}|{ifndef}|{import})((\/\*[^*/]*\*+
 				}
 
 {param}			{
-					base_yylval.ival = atol(yytext+1);
+					int			val;
+
+					errno = 0;
+					val = strtoint(yytext + 1, NULL, 10);
+					if (errno == ERANGE)
+						mmfatal(PARSE_ERROR, "parameter number too large");
+					base_yylval.ival = val;
 					return PARAM;
 				}
 {param_junk}	{
diff --git a/src/test/regress/expected/numerology.out b/src/test/regress/expected/numerology.out
@@ -206,6 +206,10 @@ PREPARE p1 AS SELECT $1a;
 ERROR:  trailing junk after parameter at or near "$1a"
 LINE 1: PREPARE p1 AS SELECT $1a;
                              ^
+PREPARE p1 AS SELECT $2147483648;
+ERROR:  parameter number too large at or near "$2147483648"
+LINE 1: PREPARE p1 AS SELECT $2147483648;
+                             ^
 SELECT 0b;
 ERROR:  invalid binary integer at or near "0b"
 LINE 1: SELECT 0b;
diff --git a/src/test/regress/sql/numerology.sql b/src/test/regress/sql/numerology.sql
@@ -52,6 +52,7 @@ SELECT 0.0e1a;
 SELECT 0.0e;
 SELECT 0.0e+a;
 PREPARE p1 AS SELECT $1a;
+PREPARE p1 AS SELECT $2147483648;
 
 SELECT 0b;
 SELECT 1b;

Original file line number	Diff line number	Diff line change
`@@ -938,7 +938,13 @@ cppline {space}#([^i][A-Za-z]\|{if}\|{ifdef}\|{ifndef}\|{import})((\/\[^/]\+`
`938`	`938`	`}`
`939`	`939`
`940`	`940`	`{param} {`
`941`		`- base_yylval.ival = atol(yytext+1);`
	`941`	`+ int val;`
	`942`	`+`
	`943`	`+ errno = 0;`
	`944`	`+ val = strtoint(yytext + 1, NULL, 10);`
	`945`	`+ if (errno == ERANGE)`
	`946`	`+ mmfatal(PARSE_ERROR, "parameter number too large");`
	`947`	`+ base_yylval.ival = val;`
`942`	`948`	`return PARAM;`
`943`	`949`	`}`
`944`	`950`	`{param_junk} {`