From 8dacb29ca7c92814d69135f40e16a46f8cf9cbaf Mon Sep 17 00:00:00 2001
From: Noah Misch <noah@leadboat.com>
Date: Mon, 5 Oct 2015 10:06:29 -0400
Subject: [PATCH 2/2] Prevent stack overflow in json-related functions.

Sufficiently-deep recursion heretofore elicited a SIGSEGV.  If an
application constructs PostgreSQL json or jsonb values from arbitrary
user input, application users could have exploited this to terminate all
active database connections.  That applies to 9.3, where the json parser
adopted recursive descent, and later versions.  Only row_to_json() and
array_to_json() were at risk in 9.2, both in a non-security capacity.
Back-patch to 9.2, where the json type was introduced.

Oskari Saarenmaa, reviewed by Michael Paquier.

Security: CVE-2015-5289
---
 src/backend/utils/adt/json.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/backend/utils/adt/json.c b/src/backend/utils/adt/json.c
index f0cbb39..fd1d8fb 100644
--- a/src/backend/utils/adt/json.c
+++ b/src/backend/utils/adt/json.c
@@ -18,6 +18,7 @@
 #include "lib/stringinfo.h"
 #include "libpq/pqformat.h"
 #include "mb/pg_wchar.h"
+#include "miscadmin.h"
 #include "parser/parse_coerce.h"
 #include "utils/array.h"
 #include "utils/builtins.h"
@@ -895,6 +896,8 @@ datum_to_json(Datum val, bool is_null, StringInfo result,
 	bool		numeric_error;
 	JsonLexContext dummy_lex;
 
+	check_stack_depth();
+
 	if (is_null)
 	{
 		appendStringInfoString(result, "null");
-- 
1.7.9.5