Skip to content

Commit f261ad2

Browse files
tglsfdctglsfdc
committed
Fix possible buffer overrun in contrib/pg_trgm.
Allow for the possibility that folding a string to lower case makes it longer (due to replacing a character with a longer multibyte character). This doesn't change the number of trigrams that will be extracted, but it does affect the required size of an intermediate buffer in generate_trgm(). Per bug #8821 from Ufuk Kayserilioglu. Also install some checks that the input string length is not so large as to cause overflow in the calculations of palloc request sizes. Back-patch to all supported versions.
1 parent 6c3f040 commit f261ad2

File tree

1 file changed

+21
-3
lines changed

1 file changed

+21
-3
lines changed

contrib/pg_trgm/trgm_op.c

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,10 @@
33
*/
44
#include "trgm.h"
55
#include <ctype.h>
6-
#include "utils/array.h"
76
#include "catalog/pg_type.h"
87
#include "tsearch/ts_locale.h"
8+
#include "utils/array.h"
9+
#include "utils/memutils.h"
910

1011
PG_MODULE_MAGIC;
1112

@@ -172,6 +173,18 @@ generate_trgm(char *str, int slen)
172173
char *bword,
173174
*eword;
174175

176+
/*
177+
* Guard against possible overflow in the palloc requests below. (We
178+
* don't worry about the additive constants, since palloc can detect
179+
* requests that are a little above MaxAllocSize --- we just need to
180+
* prevent integer overflow in the multiplications.)
181+
*/
182+
if ((Size) (slen / 2) >= (MaxAllocSize / (sizeof(trgm) * 3)) ||
183+
(Size) slen >= (MaxAllocSize / pg_database_encoding_max_length()))
184+
ereport(ERROR,
185+
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
186+
errmsg("out of memory")));
187+
175188
trg = (TRGM *) palloc(TRGMHDRSIZE + sizeof(trgm) * (slen / 2 + 1) *3);
176189
trg->flag = ARRKEY;
177190
SET_VARSIZE(trg, TRGMHDRSIZE);
@@ -181,7 +194,8 @@ generate_trgm(char *str, int slen)
181194

182195
tptr = GETARR(trg);
183196

184-
buf = palloc(sizeof(char) * (slen + 4));
197+
/* Allocate a buffer for case-folded, blank-padded words */
198+
buf = (char *) palloc(slen * pg_database_encoding_max_length() + 4);
185199

186200
if (LPADDING > 0)
187201
{
@@ -205,6 +219,7 @@ generate_trgm(char *str, int slen)
205219
#ifdef IGNORECASE
206220
pfree(bword);
207221
#endif
222+
208223
buf[LPADDING + bytelen] = ' ';
209224
buf[LPADDING + bytelen + 1] = ' ';
210225

@@ -220,7 +235,10 @@ generate_trgm(char *str, int slen)
220235
if ((len = tptr - GETARR(trg)) == 0)
221236
return trg;
222237

223-
if (len > 0)
238+
/*
239+
* Make trigrams unique.
240+
*/
241+
if (len > 1)
224242
{
225243
qsort((void *) GETARR(trg), len, sizeof(trgm), comp_trgm);
226244
len = unique_array(GETARR(trg), len);

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy