pgsql: Fix assorted places that need to use palloc_array().

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Noah Misch <[email protected]>
To: [email protected]
Subject: pgsql: Fix assorted places that need to use palloc_array().
Date: Mon, 11 May 2026 12:19:36 +0000
Message-ID: <[email protected]> (raw)

Fix assorted places that need to use palloc_array().

multirange_recv and BlockRefTableReaderNextRelation were incautious
about multiplying a possibly-large integer by a factor more than 1
and then using it as an allocation size.  This is harmless on 64-bit
systems where we'd compute a size exceeding MaxAllocSize and then
fail, but on 32-bit systems we could overflow size_t leading to an
undersized allocation and buffer overrun.

Fix these places by using palloc_array() instead of a handwritten
multiplication.  (In HEAD, some of them were fixed already, but
none of that work got back-patched at the time.)

In addition, BlockRefTableReaderNextRelation passes the same value
to BlockRefTableRead's "int length" parameter.  If built for
64-bit frontend code, palloc_array() allows a larger array size
than it otherwise would, potentially allowing that parameter to
overflow.  Add an explicit check to forestall that and keep the
behavior the same cross-platform.

Reported-by: Xint Code
Author: Tom Lane <[email protected]>
Backpatch-through: 14
Security: CVE-2026-6473

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/c55cea5290647c8d3e571893078664bbca955017
Author: Tom Lane <[email protected]>

Modified Files
--------------
src/backend/utils/adt/multirangetypes.c |  3 ++-
src/common/blkreftable.c                | 14 ++++++++++++++
2 files changed, 16 insertions(+), 1 deletion(-)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: pgsql: Fix assorted places that need to use palloc_array().
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox