1 diff -uNr postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c postgresql-7.2.3/src/backend/utils/adt/geo_ops.c
2 --- postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c Tue May 14 14:16:54 2002
3 +++ postgresql-7.2.3/src/backend/utils/adt/geo_ops.c Fri Dec 20 10:33:33 2002
6 path_encode(bool closed, int npts, Point *pt)
8 - char *result = palloc(npts * (P_MAXLEN + 3) + 2);
9 + int size = npts * (P_MAXLEN + 3) + 2;
15 + /* Check for integer overflow */
16 + if ((size - 2) / npts != (P_MAXLEN + 3))
17 + elog(ERROR, "Too many points requested");
19 + result = palloc(size);
28 - size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts;
29 + size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts;
30 path = (PATH *) palloc(size);
33 @@ -3594,13 +3601,21 @@
34 PATH *p1 = PG_GETARG_PATH_P(0);
35 PATH *p2 = PG_GETARG_PATH_P(1);
42 if (p1->closed || p2->closed)
45 - size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts);
46 + base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts);
47 + size = offsetof(PATH, p[0]) + base_size;
49 + /* Check for integer overflow */
50 + if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) ||
52 + elog(ERROR, "Too many points requested.");
54 result = (PATH *) palloc(size);
57 @@ -4411,17 +4426,24 @@
58 int32 npts = PG_GETARG_INT32(0);
59 CIRCLE *circle = PG_GETARG_CIRCLE_P(1);
67 if (FPzero(circle->radius) || (npts < 2))
68 elog(ERROR, "Unable to convert circle to polygon");
70 - size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts);
71 + base_size = sizeof(poly->p[0]) * npts;
72 + size = offsetof(POLYGON, p[0]) + base_size;
74 + /* Check for integer overflow */
75 + if (base_size / npts != sizeof(poly->p[0]) || size <= base_size)
76 + elog(ERROR, "Too many points requested");
78 poly = (POLYGON *) palloc(size);
80 - MemSet((char *) poly, 0, size); /* zero any holes */
81 + MemSet(poly, 0, size); /* zero any holes */