Sir Mordred The Traitor <mordred@s-mail.com> writes:
> template1=# select substring('xxxxxxxx',2,2147483647);
With CVS HEAD (with database encoding = SQL_ASCII and UNICODE), I get:
nconway=# select substring('xxxxxxxx',2,2147483647);
ERROR: negative substring length not allowed
With REL7_2_STABLE, I get:
template1=# select substring('xxxxxxxx',2,2147483647);
ERROR: MemoryContextAlloc: invalid request size 2147483651
> template1=# select bpchar('x',100000000);
With both CVS HEAD and REL7_2_STABLE, I get:
template1=# select bpchar('x',100000000);
zsh: 7312 segmentation fault (core dumped) ./psql template1
(note that it's the client, and not the backend, that crashes)
Although the backend does allocate a couple hundred megs of memory
while processing the query.
Although I haven't looked at the code yet, it's probably worth noting
that the two test cases posted above are not cut-and-dry DoS
opportunities, AFAICT -- however, the code may still be vulnerable.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC