- fix for overflow in geo operations (from RH)

Changed files:
    postgresql-geo_ops.patch -> 1.1

diff --git a/postgresql-geo_ops.patch b/postgresql-geo_ops.patch
new file mode 100644 (file)
index 0000000..9073c9b
--- /dev/null
+++ b/postgresql-geo_ops.patch
@@ -0,0 +1,84 @@
+diff -uNr postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c postgresql-7.2.3/src/backend/utils/adt/geo_ops.c
+--- postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c      Tue May 14 14:16:54 2002
++++ postgresql-7.2.3/src/backend/utils/adt/geo_ops.c   Fri Dec 20 10:33:33 2002
+@@ -269,11 +269,18 @@
+ static char *
+ path_encode(bool closed, int npts, Point *pt)
+ {
+-      char       *result = palloc(npts * (P_MAXLEN + 3) + 2);
++      int                size = npts * (P_MAXLEN + 3) + 2;
++      char       *result;
+ 
+       char       *cp;
+       int                     i;
+ 
++      /* Check for integer overflow */
++      if ((size - 2) / npts != (P_MAXLEN + 3))
++              elog(ERROR, "Too many points requested");
++
++      result = palloc(size);
++
+       cp = result;
+       switch (closed)
+       {
+@@ -1228,7 +1235,7 @@
+               depth++;
+       }
+ 
+-      size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts;
++      size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts;
+       path = (PATH *) palloc(size);
+ 
+       path->size = size;
+@@ -3594,13 +3601,21 @@
+       PATH       *p1 = PG_GETARG_PATH_P(0);
+       PATH       *p2 = PG_GETARG_PATH_P(1);
+       PATH       *result;
+-      int                     size;
++      int                     size,
++                              base_size;
+       int                     i;
+ 
+       if (p1->closed || p2->closed)
+               PG_RETURN_NULL();
+ 
+-      size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts);
++      base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts);
++      size = offsetof(PATH, p[0]) + base_size;
++
++      /* Check for integer overflow */
++      if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) ||
++              size <= base_size)
++              elog(ERROR, "Too many points requested.");
++
+       result = (PATH *) palloc(size);
+ 
+       result->size = size;
+@@ -4411,17 +4426,24 @@
+       int32           npts = PG_GETARG_INT32(0);
+       CIRCLE     *circle = PG_GETARG_CIRCLE_P(1);
+       POLYGON    *poly;
+-      int                     size;
++      int                     base_size,
++                              size;
+       int                     i;
+       double          angle;
+ 
+       if (FPzero(circle->radius) || (npts < 2))
+               elog(ERROR, "Unable to convert circle to polygon");
+ 
+-      size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts);
++      base_size = sizeof(poly->p[0]) * npts;
++      size = offsetof(POLYGON, p[0]) + base_size;
++
++      /* Check for integer overflow */
++      if (base_size / npts != sizeof(poly->p[0]) || size <= base_size)
++              elog(ERROR, "Too many points requested");
++
+       poly = (POLYGON *) palloc(size);
+ 
+-      MemSet((char *) poly, 0, size);         /* zero any holes */
++      MemSet(poly, 0, size);          /* zero any holes */
+       poly->size = size;
+       poly->npts = npts;
+