postgresql-geo_ops.patch

   1 diff -uNr postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c postgresql-7.2.3/src/backend/utils/adt/geo_ops.c
   2 --- postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c       Tue May 14 14:16:54 2002
   3 +++ postgresql-7.2.3/src/backend/utils/adt/geo_ops.c    Fri Dec 20 10:33:33 2002
   4 @@ -269,11 +269,18 @@
   5  static char *
   6  path_encode(bool closed, int npts, Point *pt)
   7  {
   8 -       char       *result = palloc(npts * (P_MAXLEN + 3) + 2);
   9 +       int                size = npts * (P_MAXLEN + 3) + 2;
  10 +       char       *result;
  11
  12         char       *cp;
  13         int                     i;
  14
  15 +       /* Check for integer overflow */
  16 +       if ((size - 2) / npts != (P_MAXLEN + 3))
  17 +               elog(ERROR, "Too many points requested");
  18 +
  19 +       result = palloc(size);
  20 +
  21         cp = result;
  22         switch (closed)
  23         {
  24 @@ -1228,7 +1235,7 @@
  25                 depth++;
  26         }
  27
  28 -       size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts;
  29 +       size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts;
  30         path = (PATH *) palloc(size);
  31
  32         path->size = size;
  33 @@ -3594,13 +3601,21 @@
  34         PATH       *p1 = PG_GETARG_PATH_P(0);
  35         PATH       *p2 = PG_GETARG_PATH_P(1);
  36         PATH       *result;
  37 -       int                     size;
  38 +       int                     size,
  39 +                               base_size;
  40         int                     i;
  41
  42         if (p1->closed || p2->closed)
  43                 PG_RETURN_NULL();
  44
  45 -       size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts);
  46 +       base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts);
  47 +       size = offsetof(PATH, p[0]) + base_size;
  48 +
  49 +       /* Check for integer overflow */
  50 +       if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) ||
  51 +               size <= base_size)
  52 +               elog(ERROR, "Too many points requested.");
  53 +
  54         result = (PATH *) palloc(size);
  55
  56         result->size = size;
  57 @@ -4411,17 +4426,24 @@
  58         int32           npts = PG_GETARG_INT32(0);
  59         CIRCLE     *circle = PG_GETARG_CIRCLE_P(1);
  60         POLYGON    *poly;
  61 -       int                     size;
  62 +       int                     base_size,
  63 +                               size;
  64         int                     i;
  65         double          angle;
  66
  67         if (FPzero(circle->radius) || (npts < 2))
  68                 elog(ERROR, "Unable to convert circle to polygon");
  69
  70 -       size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts);
  71 +       base_size = sizeof(poly->p[0]) * npts;
  72 +       size = offsetof(POLYGON, p[0]) + base_size;
  73 +
  74 +       /* Check for integer overflow */
  75 +       if (base_size / npts != sizeof(poly->p[0]) || size <= base_size)
  76 +               elog(ERROR, "Too many points requested");
  77 +
  78         poly = (POLYGON *) palloc(size);
  79
  80 -       MemSet((char *) poly, 0, size);         /* zero any holes */
  81 +       MemSet(poly, 0, size);          /* zero any holes */
  82         poly->size = size;
  83         poly->npts = npts;
  84