mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

repeat() fix:

Browse Source 
> Neil Conway <neilc@samurai.com> writes:
> > +   /* Check for integer overflow */
> > +   if (tlen / slen != count)
> > +           elog(ERROR, "Requested buffer is too large.");
>
> What about slen == 0?

Good point -- that wouldn't cause incorrect results or a security
problem, but it would reject input that we should really accept.

Revised patch is attached.

Neil Conway
This commit is contained in:
Bruce Momjian 2002-08-22 04:54:20 +00:00
parent c76f5aa530
commit cbe733d752
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/backend/utils/adt/oracle_compat.c
View File

@ -9,7 +9,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/utils/adt/oracle_compat.c,v 1.38 2002/06/20 20:51:45 momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/utils/adt/oracle_compat.c,v 1.39 2002/08/22 04:54:20 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@ -997,6 +997,10 @@ repeat(PG_FUNCTION_ARGS)
slen = (VARSIZE(string) - VARHDRSZ);
tlen = (VARHDRSZ + (count * slen));
/* Check for integer overflow */
if (slen != 0 && count != 0 && tlen / slen != count)
elog(ERROR, "Requested buffer is too large.");
result = (text *) palloc(tlen);
VARATT_SIZEP(result) = tlen;