-
Notifications
You must be signed in to change notification settings - Fork 488
Critical: check for Size overflow when using palloc #2408
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -1023,6 +1023,8 @@ static agtype_value *push_agtype_value_scalar(agtype_parse_state **pstate, | |||||||||||||||||||||||||||||||
| { | ||||||||||||||||||||||||||||||||
| (*pstate)->size = 4; | ||||||||||||||||||||||||||||||||
| } | ||||||||||||||||||||||||||||||||
| if ((*pstate)->size > SIZE_MAX / sizeof(agtype_value)) | ||||||||||||||||||||||||||||||||
| ereport(ERROR, "allocation request exceeds size limits"); | ||||||||||||||||||||||||||||||||
| (*pstate)->cont_val.val.array.elems = | ||||||||||||||||||||||||||||||||
| palloc(sizeof(agtype_value) * (*pstate)->size); | ||||||||||||||||||||||||||||||||
| (*pstate)->last_updated_value = NULL; | ||||||||||||||||||||||||||||||||
|
|
@@ -1034,6 +1036,8 @@ static agtype_value *push_agtype_value_scalar(agtype_parse_state **pstate, | |||||||||||||||||||||||||||||||
| (*pstate)->cont_val.type = AGTV_OBJECT; | ||||||||||||||||||||||||||||||||
| (*pstate)->cont_val.val.object.num_pairs = 0; | ||||||||||||||||||||||||||||||||
| (*pstate)->size = 4; | ||||||||||||||||||||||||||||||||
| if ((*pstate)->size > SIZE_MAX / sizeof(agtype_pair)) | ||||||||||||||||||||||||||||||||
| ereport(ERROR, "allocation request exceeds size limits"); | ||||||||||||||||||||||||||||||||
| (*pstate)->cont_val.val.object.pairs = | ||||||||||||||||||||||||||||||||
| palloc(sizeof(agtype_pair) * (*pstate)->size); | ||||||||||||||||||||||||||||||||
|
Comment on lines
+1039
to
1042
|
||||||||||||||||||||||||||||||||
| (*pstate)->last_updated_value = NULL; | ||||||||||||||||||||||||||||||||
|
|
@@ -1120,6 +1124,8 @@ static void append_key(agtype_parse_state *pstate, agtype_value *string) | |||||||||||||||||||||||||||||||
| if (object->val.object.num_pairs >= pstate->size) | ||||||||||||||||||||||||||||||||
| { | ||||||||||||||||||||||||||||||||
| pstate->size *= 2; | ||||||||||||||||||||||||||||||||
| if ((*pstate)->size > SIZE_MAX / sizeof(agtype_pair)) | ||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||
| if ((*pstate)->size > SIZE_MAX / sizeof(agtype_pair)) | |
| if (pstate->size > SIZE_MAX / sizeof(agtype_pair)) |
Copilot
AI
Apr 27, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The overflow check is placed after pstate->size *= 2. If Size wraps on multiplication, pstate->size can become small and pass the subsequent SIZE_MAX / sizeof(...) check, reintroducing the exact under-allocation risk this PR is trying to fix. The check needs to happen before doubling (or use a safe arithmetic helper) so that overflow in the growth step itself is prevented.
| pstate->size *= 2; | |
| if ((*pstate)->size > SIZE_MAX / sizeof(agtype_pair)) | |
| ereport(ERROR, "allocation request exceeds size limits"); | |
| if (pstate->size > SIZE_MAX / 2 || | |
| pstate->size > (SIZE_MAX / sizeof(agtype_pair)) / 2) | |
| ereport(ERROR, "allocation request exceeds size limits"); | |
| pstate->size *= 2; |
Copilot
AI
Apr 27, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The newly added ereport in this block uses a raw string literal. In this file, ereport must be invoked with an error clause list (e.g., errmsg(...)), otherwise it won’t compile. Please rewrite this ereport to match the existing patterns in the surrounding code.
| ereport(ERROR, "allocation request exceeds size limits"); | |
| ereport(ERROR, | |
| (errmsg("allocation request exceeds size limits"))); |
Copilot
AI
Apr 27, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In append_element, pstate is an agtype_parse_state *, so (*pstate)->size is invalid and will not compile. Use the direct field access form already used elsewhere in this function (pstate->size).
| if ((*pstate)->size > SIZE_MAX / sizeof(agtype_value)) | |
| if (pstate->size > SIZE_MAX / sizeof(agtype_value)) |
Copilot
AI
Apr 27, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same pattern as the object growth path: the overflow check comes after pstate->size *= 2, so an overflow in the doubling step itself can wrap size and evade the subsequent SIZE_MAX / sizeof(...) guard. Move the guard before the doubling (or use safe-arithmetic helpers) to ensure capacity growth can’t wrap and cause an under-sized repalloc.
| pstate->size *= 2; | |
| if ((*pstate)->size > SIZE_MAX / sizeof(agtype_value)) | |
| ereport(ERROR, "allocation request exceeds size limits"); | |
| size_t new_size; | |
| if (pstate->size > SIZE_MAX / 2) | |
| ereport(ERROR, "allocation request exceeds size limits"); | |
| new_size = pstate->size * 2; | |
| if (new_size > SIZE_MAX / sizeof(agtype_value)) | |
| ereport(ERROR, "allocation request exceeds size limits"); | |
| pstate->size = new_size; |
Copilot
AI
Apr 27, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ereport added here is using a raw string literal, but ereport in this codebase expects an errmsg(...) (and optionally errcode(...)) clause list; as written, it will not compile. Update this call to follow the existing ereport(ERROR, (errmsg(...))) style in the file.
| ereport(ERROR, "allocation request exceeds size limits"); | |
| ereport(ERROR, (errmsg("allocation request exceeds size limits"))); |
Copilot
AI
Apr 27, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new guard uses ereport(ERROR, "..."), which doesn’t match the valid ereport(ERROR, (errmsg(...))) style used elsewhere in this file and will not compile as-is. Update it to the standard ereport(ERROR, (...)) form so the overflow check is actually effective.
| ereport(ERROR, "allocation request exceeds size limits"); | |
| ereport(ERROR, | |
| (errmsg("allocation request exceeds size limits"))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ereportis being called with a raw string here, but in this codebaseereportexpects an error-reporting clause (e.g.,errmsg(...), optionally witherrcode(...)). As written, this won’t compile (and it also deviates from the nearbyERRCODE_PROGRAM_LIMIT_EXCEEDEDusage). Update these new overflow checks to use the standardereport(ERROR, (errmsg(...)))form (and consider an appropriateerrcode).