backpatch minor security fixes to 7.2 
Author Message
 backpatch minor security fixes to 7.2

--=-ghEc1JbiGBImkYZ0kcBj
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

This patch fixes the integer overflows in circle_poly(), path_encode(),
and path_add() in geo_ops.c in the REL7_2_STABLE branch. The patch I
originally wrote to fix the holes was only applied to 7.3; while I don't
think it's worth putting out a 7.2.4 with these fixes, I think it would
be helpful to have the fixes in the 7.2 branch in CVS.

Bruce: please apply this to REL7_2_STABLE *only*, as HEAD and
REL7_3_STABLE have already been fixed.

Cheers,

Neil
--

--=-ghEc1JbiGBImkYZ0kcBj
Content-Disposition: attachment; filename=7.2-sec-fix-1.patch
Content-Type: text/x-patch; name=7.2-sec-fix-1.patch; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 7bit

Index: src/backend/utils/adt/geo_ops.c
===================================================================
RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/geo_ops.c,v
retrieving revision 1.60.2.1
diff -c -r1.60.2.1 geo_ops.c
*** src/backend/utils/adt/geo_ops.c     14 May 2002 18:16:54 -0000      1.60.2.1
--- src/backend/utils/adt/geo_ops.c     16 Jan 2003 17:58:17 -0000
***************
*** 269,279 ****
  static char *
  path_encode(bool closed, int npts, Point *pt)
  {
!       char       *result = palloc(npts * (P_MAXLEN + 3) + 2);
!
        char       *cp;
        int                     i;

        cp = result;
        switch (closed)
        {
--- 269,285 ----
  static char *
  path_encode(bool closed, int npts, Point *pt)
  {
!       int                     size = npts * (P_MAXLEN + 3) + 2;
!       char       *result;
        char       *cp;
        int                     i;

+       /* Check for integer overflow */
+       if ((size - 2) / npts != (P_MAXLEN + 3))
+               elog(ERROR, "Too many points requested");
+
+       result = palloc(size);
+
        cp = result;
        switch (closed)
        {
***************
*** 3595,3606 ****
        PATH       *p2 = PG_GETARG_PATH_P(1);
        PATH       *result;
        int                     size;
        int                     i;

        if (p1->closed || p2->closed)
                PG_RETURN_NULL();

!       size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts);
        result = (PATH *) palloc(size);

        result->size = size;
--- 3601,3620 ----
        PATH       *p2 = PG_GETARG_PATH_P(1);
        PATH       *result;
        int                     size;
+       int                     base_size;
        int                     i;

        if (p1->closed || p2->closed)
                PG_RETURN_NULL();

!       base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts);
!       size = offsetof(PATH, p[0]) + base_size;
!
!       /* Check for integer overflow */
!       if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) ||
!               size <= base_size)
!               elog(ERROR, "Too many points requested");
!
        result = (PATH *) palloc(size);

        result->size = size;
***************
*** 4412,4424 ****
        CIRCLE     *circle = PG_GETARG_CIRCLE_P(1);
        POLYGON    *poly;
        int                     size;
        int                     i;
        double          angle;

        if (FPzero(circle->radius) || (npts < 2))
                elog(ERROR, "Unable to convert circle to polygon");

!       size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts);
        poly = (POLYGON *) palloc(size);

        MemSet((char *) poly, 0, size);         /* zero any holes */
--- 4426,4445 ----
        CIRCLE     *circle = PG_GETARG_CIRCLE_P(1);
        POLYGON    *poly;
        int                     size;
+       int                     base_size;
        int                     i;
        double          angle;

        if (FPzero(circle->radius) || (npts < 2))
                elog(ERROR, "Unable to convert circle to polygon");

!       base_size = sizeof(poly->p[0]) * npts;
!       size = offsetof(POLYGON, p[0]) + base_size;
!
!       /* Check for integer overflow */
!       if (base_size / npts != sizeof(poly->p[0]) || size <= base_size)
!               elog(ERROR, "Too many points requested");
!
        poly = (POLYGON *) palloc(size);

        MemSet((char *) poly, 0, size);         /* zero any holes */

--=-ghEc1JbiGBImkYZ0kcBj
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.***.com/

--=-ghEc1JbiGBImkYZ0kcBj--



Tue, 05 Jul 2005 02:35:01 GMT
 
 [ 1 post ] 

 Relevant Pages 

1. Backpatch FK changes to 7.3 and 7.2?

2. Backpatch FK changes to 7.3 and 7.2?

3. Backpatch FK changes to 7.3 and 7.2?

4. backpatch of datetime fixes

5. DB2 7.2 fix pak 4

6. Famous Bughunter Report: Bug in functions in 7.2 Fix 7

7. APAR IY18611 - not fixed in 7.2 fixpack 5

8. AS 2000 and DB2 EEE with 7.2 Fix Pack 8 on Unix 5.1

9. [INTERFACES] Two minor fixes to reduce resource usage in JDBC drivers

10. Minor regression test fix

11. minor doc / usage fixes

12. minor doc / usage fixes


 
Powered by phpBB® Forum Software