]>
Commit | Line | Data |
---|---|---|
1bc9abe2 JB |
1 | diff -uNr postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c postgresql-7.2.3/src/backend/utils/adt/geo_ops.c |
2 | --- postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c Tue May 14 14:16:54 2002 | |
3 | +++ postgresql-7.2.3/src/backend/utils/adt/geo_ops.c Fri Dec 20 10:33:33 2002 | |
4 | @@ -269,11 +269,18 @@ | |
5 | static char * | |
6 | path_encode(bool closed, int npts, Point *pt) | |
7 | { | |
8 | - char *result = palloc(npts * (P_MAXLEN + 3) + 2); | |
9 | + int size = npts * (P_MAXLEN + 3) + 2; | |
10 | + char *result; | |
11 | ||
12 | char *cp; | |
13 | int i; | |
14 | ||
15 | + /* Check for integer overflow */ | |
16 | + if ((size - 2) / npts != (P_MAXLEN + 3)) | |
17 | + elog(ERROR, "Too many points requested"); | |
18 | + | |
19 | + result = palloc(size); | |
20 | + | |
21 | cp = result; | |
22 | switch (closed) | |
23 | { | |
24 | @@ -1228,7 +1235,7 @@ | |
25 | depth++; | |
26 | } | |
27 | ||
28 | - size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts; | |
29 | + size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts; | |
30 | path = (PATH *) palloc(size); | |
31 | ||
32 | path->size = size; | |
33 | @@ -3594,13 +3601,21 @@ | |
34 | PATH *p1 = PG_GETARG_PATH_P(0); | |
35 | PATH *p2 = PG_GETARG_PATH_P(1); | |
36 | PATH *result; | |
37 | - int size; | |
38 | + int size, | |
39 | + base_size; | |
40 | int i; | |
41 | ||
42 | if (p1->closed || p2->closed) | |
43 | PG_RETURN_NULL(); | |
44 | ||
45 | - size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts); | |
46 | + base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts); | |
47 | + size = offsetof(PATH, p[0]) + base_size; | |
48 | + | |
49 | + /* Check for integer overflow */ | |
50 | + if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) || | |
51 | + size <= base_size) | |
52 | + elog(ERROR, "Too many points requested."); | |
53 | + | |
54 | result = (PATH *) palloc(size); | |
55 | ||
56 | result->size = size; | |
57 | @@ -4411,17 +4426,24 @@ | |
58 | int32 npts = PG_GETARG_INT32(0); | |
59 | CIRCLE *circle = PG_GETARG_CIRCLE_P(1); | |
60 | POLYGON *poly; | |
61 | - int size; | |
62 | + int base_size, | |
63 | + size; | |
64 | int i; | |
65 | double angle; | |
66 | ||
67 | if (FPzero(circle->radius) || (npts < 2)) | |
68 | elog(ERROR, "Unable to convert circle to polygon"); | |
69 | ||
70 | - size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts); | |
71 | + base_size = sizeof(poly->p[0]) * npts; | |
72 | + size = offsetof(POLYGON, p[0]) + base_size; | |
73 | + | |
74 | + /* Check for integer overflow */ | |
75 | + if (base_size / npts != sizeof(poly->p[0]) || size <= base_size) | |
76 | + elog(ERROR, "Too many points requested"); | |
77 | + | |
78 | poly = (POLYGON *) palloc(size); | |
79 | ||
80 | - MemSet((char *) poly, 0, size); /* zero any holes */ | |
81 | + MemSet(poly, 0, size); /* zero any holes */ | |
82 | poly->size = size; | |
83 | poly->npts = npts; | |
84 |