agora inbox for [email protected]help / color / mirror / Atom feed
[PATCH v48 6/7] Error out any process that would block at REPACK 120+ messages / 3 participants [nested] [flat]
* [PATCH v48 6/7] Error out any process that would block at REPACK @ 2026-03-25 19:35 Álvaro Herrera <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Álvaro Herrera @ 2026-03-25 19:35 UTC (permalink / raw) Any process waiting on REPACK to release its lock would actually cause it to deadlock when it tries to upgrade its lock to AEL, losing all work done to that point. We avoid this by teaching the deadlock detector to raise an error when this condition is detected. --- src/backend/commands/repack.c | 52 ++++++++---- src/backend/storage/lmgr/deadlock.c | 15 ++++ src/include/storage/proc.h | 6 +- src/test/modules/injection_points/Makefile | 1 + .../expected/repack_deadlock.out | 63 ++++++++++++++ src/test/modules/injection_points/meson.build | 1 + .../specs/repack_deadlock.spec | 83 +++++++++++++++++++ 7 files changed, 202 insertions(+), 19 deletions(-) create mode 100644 src/test/modules/injection_points/expected/repack_deadlock.out create mode 100644 src/test/modules/injection_points/specs/repack_deadlock.spec diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index a514053b777..781a471fc1d 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -276,6 +276,16 @@ ExecRepack(ParseState *pstate, RepackStmt *stmt, bool isTopLevel) /* Determine the lock mode to use. */ lockmode = RepackLockLevel((params.options & CLUOPT_CONCURRENT) != 0); + /* + * If in concurrent mode, set the PROC_IN_CONCURRENT_REPACK flag. This + * makes the deadlock checker cause anyone that would conflict with us to + * error out. It's important to set this flag ahead of actually locking + * the relation; it won't of course affect anyone until we do have a lock + * that others can conflict with. + */ + if ((params.options & CLUOPT_CONCURRENT) != 0) + MyProc->statusFlags |= PROC_IN_CONCURRENT_REPACK; + /* * If a single relation is specified, process it and we're done ... unless * the relation is a partitioned table, in which case we fall through. @@ -476,11 +486,8 @@ RepackLockLevel(bool concurrent) * If indexOid is InvalidOid, the table will be rewritten in physical order * instead of index order. * - * Note that, in the concurrent case, the function releases the lock at some - * point, in order to get AccessExclusiveLock for the final steps (i.e. to - * swap the relation files). To make things simpler, the caller should expect - * OldHeap to be closed on return, regardless CLUOPT_CONCURRENT. (The - * AccessExclusiveLock is kept till the end of the transaction.) + * On return, OldHeap is closed but locked with AccessExclusiveLock - the lock + * will be released at end of the transaction. * * 'cmd' indicates which command is being executed, to be used for error * messages. @@ -512,10 +519,12 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, /* * Make sure we're not in a transaction block. * - * The reason is that repack_setup_logical_decoding() could deadlock - * if there's an XID already assigned. It would be possible to run in - * a transaction block if we had no XID, but this restriction is - * simpler for users to understand and we don't lose anything. + * The reason is that repack_setup_logical_decoding() could wait + * indefinitely for our XID to complete. (The deadlock detector would + * not recognize it because we'd be waiting for ourselves, i.e. no + * real lock conflict.) It would be possible to run in a transaction + * block if we had no XID, but this restriction is simpler for users + * to understand and we don't lose anything. */ PreventInTransactionBlock(isTopLevel, "REPACK (CONCURRENTLY)"); @@ -998,10 +1007,8 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, * Note that the worker has to wait for all transactions with XID * already assigned to finish. If some of those transactions is * waiting for a lock conflicting with ShareUpdateExclusiveLock on our - * table (e.g. it runs CREATE INDEX), we can end up in a deadlock. - * Not sure this risk is worth unlocking/locking the table (and its - * clustering index) and checking again if it's still eligible for - * REPACK CONCURRENTLY. + * table (e.g. it runs CREATE INDEX), it should encounter ERROR in the + * deadlock checking code. */ start_repack_decoding_worker(tableOid); @@ -3090,7 +3097,16 @@ rebuild_relation_finish_concurrent(Relation NewHeap, Relation OldHeap, LockRelationOid(OldHeap->rd_rel->reltoastrelid, AccessExclusiveLock); /* - * Tuples and pages of the old heap will be gone, but the heap will stay. + * Now that we have all access-exclusive locks on all relations, we no + * longer want other processes to error out when trying to acquire a + * conflicting lock. Therefore, unset our flag. + */ + MyProc->statusFlags &= ~PROC_IN_CONCURRENT_REPACK; + + /* + * Tuples and pages of the old heap will be gone, but the heap itself will + * stay. In order for predicate locks to continue to work, convert them + * to relation-level locks. We do this both for table and indexes. */ TransferPredicateLocksToHeapRelation(OldHeap); foreach_ptr(RelationData, index, indexrels) @@ -3288,9 +3304,11 @@ start_repack_decoding_worker(Oid relid) /* * The decoding setup must be done before the caller can have XID assigned - * for any reason, otherwise the worker might end up in a deadlock, - * waiting for the caller's transaction to end. Therefore wait here until - * the worker indicates that it has the logical decoding initialized. + * for any reason, otherwise the worker might end up waiting for the + * caller's transaction to end. (Deadlock detector does not consider this + * a conflict because the worker is in the same locking group as the + * backend that launched it.) Therefore wait here until the worker + * indicates that it has the logical decoding initialized. */ ConditionVariablePrepareToSleep(&shared->cv); for (;;) diff --git a/src/backend/storage/lmgr/deadlock.c b/src/backend/storage/lmgr/deadlock.c index b8962d875b6..c20ac682b0d 100644 --- a/src/backend/storage/lmgr/deadlock.c +++ b/src/backend/storage/lmgr/deadlock.c @@ -620,6 +620,21 @@ FindLockCycleRecurseMember(PGPROC *checkProc, proc->statusFlags & PROC_IS_AUTOVACUUM) blocking_autovacuum_proc = proc; + /* + * Similarly, if we note that we're blocked by some + * process running REPACK (CONCURRENTLY), just fail. That + * process is going to upgrade its lock at some point, and + * it would be inappropriate for any other process to + * cause that to fail. + */ + if (checkProc == MyProc && + proc->statusFlags & PROC_IN_CONCURRENT_REPACK) + ereport(ERROR, + errcode(ERRCODE_OBJECT_IN_USE), + errmsg("could not wait for concurrent REPACK"), + errdetail("Process %d waits for REPACK running on process %d", + MyProc->pid, proc->pid)); + /* We're done looking at this proclock */ break; } diff --git a/src/include/storage/proc.h b/src/include/storage/proc.h index 1dad125706e..8ad9718f3d6 100644 --- a/src/include/storage/proc.h +++ b/src/include/storage/proc.h @@ -69,10 +69,12 @@ struct XidCache #define PROC_AFFECTS_ALL_HORIZONS 0x20 /* this proc's xmin must be * included in vacuum horizons * in all databases */ +#define PROC_IN_CONCURRENT_REPACK 0x40 /* REPACK (CONCURRENTLY) */ -/* flags reset at EOXact */ +/* flags reset at EOXact. A bit of a misnomer ... */ #define PROC_VACUUM_STATE_MASK \ - (PROC_IN_VACUUM | PROC_IN_SAFE_IC | PROC_VACUUM_FOR_WRAPAROUND) + (PROC_IN_VACUUM | PROC_IN_SAFE_IC | PROC_VACUUM_FOR_WRAPAROUND | \ + PROC_IN_CONCURRENT_REPACK) /* * Xmin-related flags. Make sure any flags that affect how the process' Xmin diff --git a/src/test/modules/injection_points/Makefile b/src/test/modules/injection_points/Makefile index 2cd7d87c533..f7663859fe2 100644 --- a/src/test/modules/injection_points/Makefile +++ b/src/test/modules/injection_points/Makefile @@ -15,6 +15,7 @@ REGRESS_OPTS = --dlpath=$(top_builddir)/src/test/regress ISOLATION = basic \ inplace \ repack \ + repack_deadlock \ repack_toast \ syscache-update-pruned \ heap_lock_update diff --git a/src/test/modules/injection_points/expected/repack_deadlock.out b/src/test/modules/injection_points/expected/repack_deadlock.out new file mode 100644 index 00000000000..a86e4767536 --- /dev/null +++ b/src/test/modules/injection_points/expected/repack_deadlock.out @@ -0,0 +1,63 @@ +Parsed test spec with 2 sessions + +starting permutation: wait_before_lock add_column wakeup_before_lock check1 +injection_points_attach +----------------------- + +(1 row) + +step wait_before_lock: + REPACK (CONCURRENTLY) repack_deadlock USING INDEX repack_deadlock_pkey; + <waiting ...> +step add_column: + alter table repack_deadlock add column noise text; + <waiting ...> +step add_column: <... completed> +ERROR: could not wait for concurrent REPACK +step wakeup_before_lock: + SELECT injection_points_wakeup('repack-concurrently-before-lock'); + +injection_points_wakeup +----------------------- + +(1 row) + +step wait_before_lock: <... completed> +step check1: + INSERT INTO relfilenodes(node) + SELECT relfilenode FROM pg_class WHERE relname='repack_deadlock'; + + SELECT count(DISTINCT node) FROM relfilenodes; + + SELECT i, j FROM repack_deadlock ORDER BY i, j; + + INSERT INTO data_s1(i, j) + SELECT i, j FROM repack_deadlock; + + SELECT count(*) + FROM data_s1 d1 FULL JOIN data_s2 d2 USING (i, j) + WHERE d1.i ISNULL OR d2.i ISNULL; + +count +----- + 1 +(1 row) + +i|j +-+- +1|1 +2|2 +3|3 +4|4 +(4 rows) + +count +----- + 4 +(1 row) + +injection_points_detach +----------------------- + +(1 row) + diff --git a/src/test/modules/injection_points/meson.build b/src/test/modules/injection_points/meson.build index a414abb924b..1cd88d6db65 100644 --- a/src/test/modules/injection_points/meson.build +++ b/src/test/modules/injection_points/meson.build @@ -46,6 +46,7 @@ tests += { 'basic', 'inplace', 'repack', + 'repack_deadlock', 'repack_toast', 'syscache-update-pruned', 'heap_lock_update', diff --git a/src/test/modules/injection_points/specs/repack_deadlock.spec b/src/test/modules/injection_points/specs/repack_deadlock.spec new file mode 100644 index 00000000000..9d23a6588c2 --- /dev/null +++ b/src/test/modules/injection_points/specs/repack_deadlock.spec @@ -0,0 +1,83 @@ +# Test REPACK with a concurrent transaction that would cause a deadlock +setup +{ + CREATE EXTENSION injection_points; + + CREATE TABLE repack_deadlock(i int PRIMARY KEY, j int); + INSERT INTO repack_deadlock(i, j) VALUES (1, 1), (2, 2), (3, 3), (4, 4); + + CREATE TABLE relfilenodes(node oid); + + CREATE TABLE data_s1(i int, j int); + CREATE TABLE data_s2(i int, j int); +} + +teardown +{ + DROP TABLE repack_deadlock; + DROP EXTENSION injection_points; + + DROP TABLE relfilenodes; + DROP TABLE data_s1; + DROP TABLE data_s2; +} + +session s1 +setup +{ + SELECT injection_points_set_local(); + SELECT injection_points_attach('repack-concurrently-before-lock', 'wait'); +} +# Perform the initial load and wait for s2 to do some data changes. +step wait_before_lock +{ + REPACK (CONCURRENTLY) repack_deadlock USING INDEX repack_deadlock_pkey; +} +# Check the table from the perspective of s1. +# +# Besides the contents, we also check that relfilenode has changed. + +# Have each session write the contents into a table and use FULL JOIN to check +# if the outputs are identical. +step check1 +{ + INSERT INTO relfilenodes(node) + SELECT relfilenode FROM pg_class WHERE relname='repack_deadlock'; + + SELECT count(DISTINCT node) FROM relfilenodes; + + SELECT i, j FROM repack_deadlock ORDER BY i, j; + + INSERT INTO data_s1(i, j) + SELECT i, j FROM repack_deadlock; + + SELECT count(*) + FROM data_s1 d1 FULL JOIN data_s2 d2 USING (i, j) + WHERE d1.i ISNULL OR d2.i ISNULL; +} +teardown +{ + SELECT injection_points_detach('repack-concurrently-before-lock'); +} + +session s2 +# Change the existing data. UPDATE changes both key and non-key columns. Also +# update one row twice to test whether tuple version generated by this session +# can be found. +step add_column +{ + alter table repack_deadlock add column noise text; +} + +step wakeup_before_lock +{ + SELECT injection_points_wakeup('repack-concurrently-before-lock'); +} + +# Test if data changes introduced while one session is performing REPACK +# CONCURRENTLY find their way into the table. +permutation + wait_before_lock + add_column + wakeup_before_lock + check1 -- 2.47.3 --qfkt2ktdpcfeypib Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="v48-0007-Teach-snapshot-builder-to-skip-transactions-runn.patch" ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:13 Andrey Rachitskiy <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:13 UTC (permalink / raw) When a PL/Perl function returns a very large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. A user with permission to create untrusted PL/Perl functions can return strings far larger than work_mem and risk getting the backend killed by the OOM killer. Reject Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). This follows the same work_mem-based limit pattern used elsewhere in the backend. Add a plperl regression test that attempts to return a 16MB string with the default 4MB work_mem setting. Author: Andrey Rachitskiy <[email protected]> --- src/pl/plperl/expected/plperl.out | 8 +++++++ src/pl/plperl/plperl.h | 34 ++++++++++++++++++++++++++++++ src/pl/plperl/sql/plperl.sql | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/src/pl/plperl/expected/plperl.out b/src/pl/plperl/expected/plperl.out index e3d7c88..50c788b 100644 --- a/src/pl/plperl/expected/plperl.out +++ b/src/pl/plperl/expected/plperl.out @@ -792,3 +792,11 @@ SELECT self_modify(42); 126 (1 row) +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; +SELECT perl_oversized_text(); +ERROR: Perl value exceeds maximum allowed size (4194304 bytes) +HINT: Increase work_mem or reduce the result size. +CONTEXT: PL/Perl function "perl_oversized_text" diff --git a/src/pl/plperl/plperl.h b/src/pl/plperl/plperl.h index 4c03f9e..1ccce6d 100644 --- a/src/pl/plperl/plperl.h +++ b/src/pl/plperl/plperl.h @@ -17,6 +17,8 @@ /* defines free() by way of system headers, so must be included before perl.h */ #include "mb/pg_wchar.h" +#include "miscadmin.h" +#include "utils/memutils.h" /* * Pull in Perl headers via a wrapper header, to control the scope of @@ -40,6 +42,36 @@ char *plperl_sv_to_literal(SV *, char *); void plperl_util_elog(int level, SV *msg); +/* + * Maximum byte size for a Perl scalar copied through sv2cstr(). + * + * This follows the same work_mem * 1024 pattern used elsewhere in the + * backend (e.g. reorderbuffer.c, nodeHash.c) and is capped by MaxAllocSize. + */ +static inline Size +plperl_max_scalar_bytes(void) +{ + Size limit = (Size) work_mem * (Size) 1024; + + return Min(limit, MaxAllocSize - 1); +} + +/* + * Reject Perl strings that are too large to copy into backend memory. + */ +static inline void +plperl_check_sv_length(STRLEN len) +{ + Size max_len = plperl_max_scalar_bytes(); + + if ((Size) len > max_len) + erereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("Perl value exceeds maximum allowed size (%zu bytes)", + max_len), + errhint("Increase work_mem or reduce the result size."))); +} + /* helper functions */ /* @@ -127,6 +159,8 @@ sv2cstr(SV *sv) else val = SvPVutf8(sv, len); + plperl_check_sv_length(len); + /* * Now convert to database encoding. We use perl's length in the event we * had an embedded null byte to ensure we error out properly. diff --git a/src/pl/plperl/sql/plperl.sql b/src/pl/plperl/sql/plperl.sql index bb0b8ce..0470a2b 100644 --- a/src/pl/plperl/sql/plperl.sql +++ b/src/pl/plperl/sql/plperl.sql @@ -521,3 +521,10 @@ $$ LANGUAGE plperl; SELECT self_modify(42); SELECT self_modify(42); + +-- oversized text results are rejected at the PL boundary +CREATE OR REPLACE FUNCTION perl_oversized_text() RETURNS text AS $$ + return 'x' x (16 * 1024 * 1024); +$$ LANGUAGE plperl; + +SELECT perl_oversized_text(); --MP_/sDTAhto+gkG/PMs8Alw6m8e-- ^ permalink raw reply [nested|flat] 120+ messages in thread
* [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-06 22:41 Andrey Rachitskiy <[email protected]> 0 siblings, 1 reply; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-06 22:41 UTC (permalink / raw) To: ; +Cc: PostgreSQL Hackers <[email protected]>; Nikolay Shaplov <[email protected]> Hi, Hackers! When a PL/Perl function returns a large text value, sv2cstr() copies the entire Perl string into backend memory with no size check. The helper is used on the path from Perl return values and SPI arguments to PostgreSQL text datums; it simply palloc()s a copy after SvPVutf8(). A user who is allowed to create untrusted PL/Perl functions can therefore force the backend to allocate strings far larger than any session limit. On a memory-constrained host this can get the backend process killed by the OOM killer (SIGKILL) rather than raising a catchable PostgreSQL error. Reproducer (unpatched master, plperl enabled): CREATE FUNCTION perl_huge_text() RETURNS text LANGUAGE plperl AS $$ return 'x' x (1024 * 1024 * 1024); $$; SELECT perl_huge_text(); On a container limited to about 768MB RAM, CREATE FUNCTION alone is enough to lose the backend: LOG: client backend (PID ...) was terminated by signal 9: Killed DETAIL: Failed process was running: CREATE OR REPLACE FUNCTION ... With plenty of free RAM the same code may succeed instead, which I think shows missing enforcement rather than an intentional "no limit" design: other PL/Perl paths already enforce bounds (MAXDIM, AV_SIZE_MAX for SPI results, max_stack_depth in recursive conversion), but sv2cstr() had none. This patch rejects Perl strings larger than work_mem * 1024 bytes, capped by MaxAllocSize, before copying them through sv2cstr(). That follows the same work_mem-based pattern used elsewhere in the backend for per-query working storage. The check is done after SvPVutf8() has reported the length but before utf_u2e() allocates the database-encoding copy. A plperl regression test returns a 16MB string with the default 4MB work_mem and expects: ERROR: Perl value exceeds maximum allowed size (4194304 bytes) HINT: Increase work_mem or reduce the result size. Legitimate functions that need to move more data can raise work_mem for the session, consistent with other operations bounded by that GUC. Comments welcome. -- Regards, Andrey Rachitskiy ^ permalink raw reply [nested|flat] 120+ messages in thread
* Re: [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-07 01:56 Tom Lane <[email protected]> parent: Andrey Rachitskiy <[email protected]> 0 siblings, 1 reply; 120+ messages in thread From: Tom Lane @ 2026-07-07 01:56 UTC (permalink / raw) To: Andrey Rachitskiy <[email protected]>; +Cc: PostgreSQL Hackers <[email protected]>; Nikolay Shaplov <[email protected]> Andrey Rachitskiy <[email protected]> writes: > When a PL/Perl function returns a large text value, sv2cstr() copies the > entire Perl string into backend memory with no size check. The helper > is used on the path from Perl return values and SPI arguments to > PostgreSQL text datums; it simply palloc()s a copy after SvPVutf8(). > A user who is allowed to create untrusted PL/Perl functions can > therefore force the backend to allocate strings far larger than any > session limit. On a memory-constrained host this can get the backend > process killed by the OOM killer (SIGKILL) rather than raising a > catchable PostgreSQL error. This is true of very many operations in PG, not only PL/Perl. Our general answer to that is to disable memory overcommit so that the OOM killer won't apply. One should also note that the same PL/Perl function can (try to) allocate enormous amounts of memory entirely within Perl, where we have no ability to stop it. I don't see how constraining the size of a function result string helps noticeably. > This patch rejects Perl strings larger than work_mem * 1024 bytes, Our normal understanding of work_mem is that it's a point beyond which we'll spill to disk, or otherwise try to reduce our memory consumption at the cost of longer runtime. Not a point at which an outright query failure is OK. So, even if I thought this were something we should address, I don't believe this is an appropriate approach to a fix. regards, tom lane ^ permalink raw reply [nested|flat] 120+ messages in thread
* Re: [PATCH] Limit PL/Perl scalar copies to work_mem @ 2026-07-07 05:44 Andrey Rachitskiy <[email protected]> parent: Tom Lane <[email protected]> 0 siblings, 0 replies; 120+ messages in thread From: Andrey Rachitskiy @ 2026-07-07 05:44 UTC (permalink / raw) To: Tom Lane <[email protected]>; +Cc: PostgreSQL Hackers <[email protected]>; Nikolay Shaplov <[email protected]> Thanks for the review, Tom. You're right that work_mem is a poor fit for a hard failure here, and more generally that this isn't the sort of problem PL/Perl can solve with a small boundary check alone. I should have raised the idea on the list for discussion before sending a patch — I'll do that next time rather than charging ahead with a fix. Thanks for the feedback. On Mon, 06 Jul 2026 21:56:17 -0400, Tom Lane <[email protected]> wrote: > Andrey Rachitskiy <[email protected]> writes: > > When a PL/Perl function returns a large text value, sv2cstr() > > copies the entire Perl string into backend memory with no size > > check. The helper is used on the path from Perl return values and > > SPI arguments to PostgreSQL text datums; it simply palloc()s a copy > > after SvPVutf8(). A user who is allowed to create untrusted PL/Perl > > functions can therefore force the backend to allocate strings far > > larger than any session limit. On a memory-constrained host this > > can get the backend process killed by the OOM killer (SIGKILL) > > rather than raising a catchable PostgreSQL error. > > This is true of very many operations in PG, not only PL/Perl. > Our general answer to that is to disable memory overcommit > so that the OOM killer won't apply. One should also note that > the same PL/Perl function can (try to) allocate enormous amounts > of memory entirely within Perl, where we have no ability to stop > it. I don't see how constraining the size of a function result > string helps noticeably. > > > This patch rejects Perl strings larger than work_mem * 1024 bytes, > > Our normal understanding of work_mem is that it's a point beyond which > we'll spill to disk, or otherwise try to reduce our memory consumption > at the cost of longer runtime. Not a point at which an outright query > failure is OK. > > So, even if I thought this were something we should address, > I don't believe this is an appropriate approach to a fix. > > regards, tom lane -- Regards, Andrey Rachitskiy ^ permalink raw reply [nested|flat] 120+ messages in thread
end of thread, other threads:[~2026-07-07 05:44 UTC | newest] Thread overview: 120+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-03-25 19:35 [PATCH v48 6/7] Error out any process that would block at REPACK Álvaro Herrera <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:13 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-06 22:41 [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]> 2026-07-07 01:56 ` Re: [PATCH] Limit PL/Perl scalar copies to work_mem Tom Lane <[email protected]> 2026-07-07 05:44 ` Re: [PATCH] Limit PL/Perl scalar copies to work_mem Andrey Rachitskiy <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox