[packages/postgresql.git] / postgresql-geo_ops.patch

diff -uNr postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c postgresql-7.2.3/src/backend/utils/adt/geo_ops.c
--- postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c	Tue May 14 14:16:54 2002
+++ postgresql-7.2.3/src/backend/utils/adt/geo_ops.c	Fri Dec 20 10:33:33 2002
@@ -269,11 +269,18 @@
 static char *
 path_encode(bool closed, int npts, Point *pt)
 {
-	char	   *result = palloc(npts * (P_MAXLEN + 3) + 2);
+	int		   size = npts * (P_MAXLEN + 3) + 2;
+	char	   *result;
 
 	char	   *cp;
 	int			i;
 
+	/* Check for integer overflow */
+	if ((size - 2) / npts != (P_MAXLEN + 3))
+		elog(ERROR, "Too many points requested");
+
+	result = palloc(size);
+
 	cp = result;
 	switch (closed)
 	{
@@ -1228,7 +1235,7 @@
 		depth++;
 	}
 
-	size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts;
+	size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts;
 	path = (PATH *) palloc(size);
 
 	path->size = size;
@@ -3594,13 +3601,21 @@
 	PATH	   *p1 = PG_GETARG_PATH_P(0);
 	PATH	   *p2 = PG_GETARG_PATH_P(1);
 	PATH	   *result;
-	int			size;
+	int			size,
+				base_size;
 	int			i;
 
 	if (p1->closed || p2->closed)
 		PG_RETURN_NULL();
 
-	size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts);
+	base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts);
+	size = offsetof(PATH, p[0]) + base_size;
+
+	/* Check for integer overflow */
+	if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) ||
+		size <= base_size)
+		elog(ERROR, "Too many points requested.");
+
 	result = (PATH *) palloc(size);
 
 	result->size = size;
@@ -4411,17 +4426,24 @@
 	int32		npts = PG_GETARG_INT32(0);
 	CIRCLE	   *circle = PG_GETARG_CIRCLE_P(1);
 	POLYGON    *poly;
-	int			size;
+	int			base_size,
+				size;
 	int			i;
 	double		angle;
 
 	if (FPzero(circle->radius) || (npts < 2))
 		elog(ERROR, "Unable to convert circle to polygon");
 
-	size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts);
+	base_size = sizeof(poly->p[0]) * npts;
+	size = offsetof(POLYGON, p[0]) + base_size;
+
+	/* Check for integer overflow */
+	if (base_size / npts != sizeof(poly->p[0]) || size <= base_size)
+		elog(ERROR, "Too many points requested");
+
 	poly = (POLYGON *) palloc(size);
 
-	MemSet((char *) poly, 0, size);		/* zero any holes */
+	MemSet(poly, 0, size);		/* zero any holes */
 	poly->size = size;
 	poly->npts = npts;
Commit	Line	Data
1bc9abe2 JB	1	diff -uNr postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c postgresql-7.2.3/src/backend/utils/adt/geo_ops.c
	2	--- postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c Tue May 14 14:16:54 2002
	3	+++ postgresql-7.2.3/src/backend/utils/adt/geo_ops.c Fri Dec 20 10:33:33 2002
	4	@@ -269,11 +269,18 @@
	5	static char *
	6	path_encode(bool closed, int npts, Point *pt)
	7	{
	8	- char result = palloc(npts (P_MAXLEN + 3) + 2);
	9	+ int size = npts * (P_MAXLEN + 3) + 2;
	10	+ char *result;
	11
	12	char *cp;
	13	int i;
	14
	15	+ /* Check for integer overflow */
	16	+ if ((size - 2) / npts != (P_MAXLEN + 3))
	17	+ elog(ERROR, "Too many points requested");
	18	+
	19	+ result = palloc(size);
	20	+
	21	cp = result;
	22	switch (closed)
	23	{
	24	@@ -1228,7 +1235,7 @@
	25	depth++;
	26	}
	27
	28	- size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts;
	29	+ size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts;
	30	path = (PATH *) palloc(size);
	31
	32	path->size = size;
	33	@@ -3594,13 +3601,21 @@
	34	PATH *p1 = PG_GETARG_PATH_P(0);
	35	PATH *p2 = PG_GETARG_PATH_P(1);
	36	PATH *result;
	37	- int size;
	38	+ int size,
	39	+ base_size;
	40	int i;
	41
	42	if (p1->closed \|\| p2->closed)
	43	PG_RETURN_NULL();
	44
	45	- size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts);
	46	+ base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts);
	47	+ size = offsetof(PATH, p[0]) + base_size;
	48	+
	49	+ /* Check for integer overflow */
	50	+ if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) \|\|
	51	+ size <= base_size)
	52	+ elog(ERROR, "Too many points requested.");
	53	+
	54	result = (PATH *) palloc(size);
	55
	56	result->size = size;
	57	@@ -4411,17 +4426,24 @@
	58	int32 npts = PG_GETARG_INT32(0);
	59	CIRCLE *circle = PG_GETARG_CIRCLE_P(1);
	60	POLYGON *poly;
	61	- int size;
	62	+ int base_size,
	63	+ size;
	64	int i;
65	double angle;
66
67	if (FPzero(circle->radius) \|\| (npts < 2))
68	elog(ERROR, "Unable to convert circle to polygon");
69
70	- size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts);
71	+ base_size = sizeof(poly->p[0]) * npts;
72	+ size = offsetof(POLYGON, p[0]) + base_size;
73	+
74	+ /* Check for integer overflow */
75	+ if (base_size / npts != sizeof(poly->p[0]) \|\| size <= base_size)
76	+ elog(ERROR, "Too many points requested");
77	+
78	poly = (POLYGON *) palloc(size);
79
80	- MemSet((char ) poly, 0, size); / zero any holes */
81	+ MemSet(poly, 0, size); /* zero any holes */
82	poly->size = size;
83	poly->npts = npts;
84