repeat() fix:

> Neil Conway <neilc@samurai.com> writes: > > + /* Check for integer overflow */ > > + if (tlen / slen != count) > > + elog(ERROR, "Requested buffer is too large."); > > What about slen == 0? Good point -- that wouldn't cause incorrect results or a security problem, but it would reject input that we should really accept. Revised patch is attached. Neil Conway

repeat() fix:
> Neil Conway <neilc@samurai.com> writes: > > + /* Check for integer overflow */ > > + if (tlen / slen != count) > > + elog(ERROR, "Requested buffer is too large."); > > What about slen == 0? Good point -- that wouldn't cause incorrect results or a security problem, but it would reject input that we should really accept. Revised patch is attached. Neil Conway
cbe733d7 · Bruce Momjian · c76f5aa5 · cbe733d7
Commit cbe733d7 authored Aug 22, 2002 by Bruce Momjian
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

src/backend/utils/adt/oracle_compat.c src/backend/utils/adt/oracle_compat.c +5 -1

No files found.
--- a/src/backend/utils/adt/oracle_compat.c
+++ b/src/backend/utils/adt/oracle_compat.c
@@ -9,7 +9,7 @@
 *
 *
 * IDENTIFICATION
- *	$Header: /cvsroot/pgsql/src/backend/utils/adt/oracle_compat.c,v 1.38 2002/06/20 20:51:45 momjian Exp $
+ *	$Header: /cvsroot/pgsql/src/backend/utils/adt/oracle_compat.c,v 1.39 2002/08/22 04:54:20 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -997,6 +997,10 @@ repeat(PG_FUNCTION_ARGS)
 	slen = (VARSIZE(string) - VARHDRSZ);
 	tlen = (VARHDRSZ + (count * slen));

+	/* Check for integer overflow */
+	if (slen != 0 && count != 0 && tlen / slen != count)
+		elog(ERROR, "Requested buffer is too large.");
+
 	result = (text *) palloc(tlen);

 	VARATT_SIZEP(result) = tlen;