45 lines
1.4 KiB
Diff
45 lines
1.4 KiB
Diff
From 8dacb29ca7c92814d69135f40e16a46f8cf9cbaf Mon Sep 17 00:00:00 2001
|
|
From: Noah Misch <noah@leadboat.com>
|
|
Date: Mon, 5 Oct 2015 10:06:29 -0400
|
|
Subject: [PATCH 2/2] Prevent stack overflow in json-related functions.
|
|
|
|
Sufficiently-deep recursion heretofore elicited a SIGSEGV. If an
|
|
application constructs PostgreSQL json or jsonb values from arbitrary
|
|
user input, application users could have exploited this to terminate all
|
|
active database connections. That applies to 9.3, where the json parser
|
|
adopted recursive descent, and later versions. Only row_to_json() and
|
|
array_to_json() were at risk in 9.2, both in a non-security capacity.
|
|
Back-patch to 9.2, where the json type was introduced.
|
|
|
|
Oskari Saarenmaa, reviewed by Michael Paquier.
|
|
|
|
Security: CVE-2015-5289
|
|
---
|
|
src/backend/utils/adt/json.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/src/backend/utils/adt/json.c b/src/backend/utils/adt/json.c
|
|
index f0cbb39..fd1d8fb 100644
|
|
--- a/src/backend/utils/adt/json.c
|
|
+++ b/src/backend/utils/adt/json.c
|
|
@@ -18,6 +18,7 @@
|
|
#include "lib/stringinfo.h"
|
|
#include "libpq/pqformat.h"
|
|
#include "mb/pg_wchar.h"
|
|
+#include "miscadmin.h"
|
|
#include "parser/parse_coerce.h"
|
|
#include "utils/array.h"
|
|
#include "utils/builtins.h"
|
|
@@ -895,6 +896,8 @@ datum_to_json(Datum val, bool is_null, StringInfo result,
|
|
bool numeric_error;
|
|
JsonLexContext dummy_lex;
|
|
|
|
+ check_stack_depth();
|
|
+
|
|
if (is_null)
|
|
{
|
|
appendStringInfoString(result, "null");
|
|
--
|
|
1.7.9.5
|
|
|