This is an automated email from the ASF dual-hosted git repository.

tuhaihe pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudberry.git

commit ab9ea2cd61ae67a50e0ee4652512184f359b5edb
Author: Michael Paquier <[email protected]>
AuthorDate: Mon May 11 05:13:49 2026 -0700

    ltree: Fix overflows with lquery parsing
    
    The lquery parser in contrib/ltree/ had two overflow problems:
    - A single lquery level with many OR-separated variants (e.g.,
    'label1|label2|...'), could cause an overflow of totallen, this being
    stored as a uint16, meaning a maximum value of UINT16_MAX or 65k.  Each
    variant contributes MAXALIGN(LVAR_HDRSIZE + len) bytes.  With enough
    long variants, the value would wraparound.  This would corrupt the data
    written by LQL_NEXT(), leading to a stack corruption, most likely
    translating into a crash, but it would allow incorrect memory access.
    - numvar, labelled as a uint16, counts the number of OR-variants in a
    single level, and it is incremented without bounds checking.  With more
    than PG_UINT16_MAX (65k) variants in a single level, and a minimum of
    131kB of input data, it would wrap to 0.  When a (wildcard) '*' is
    used, this would change the query results silently.
    
    For both issues, a set of overflows checks are added to guard against
    these problematic patterns.
    
    The first issue has been reported by the three people listed below,
    affecting v16 and newer versions due to b1665bf01e5f.  Its coding was
    still unsafe in v14 and v15.  The second issue affects all the stable
    branches; I have bumped into while reviewing the code of the module.
    
    Reported-by: Vergissmeinnicht <[email protected]>
    Reported-by: A1ex <[email protected]>
    Reported-by: Jihe Wang <[email protected]>
    Author: Michael Paquier <[email protected]>
    Security: CVE-2026-6473
    Backpatch-through: 14
---
 contrib/ltree/expected/ltree.out | 10 ++++++++++
 contrib/ltree/ltree_io.c         | 19 +++++++++++++++++--
 contrib/ltree/sql/ltree.sql      |  8 ++++++++
 3 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/contrib/ltree/expected/ltree.out b/contrib/ltree/expected/ltree.out
index 6cd7a3d4e58..62bd60868ac 100644
--- a/contrib/ltree/expected/ltree.out
+++ b/contrib/ltree/expected/ltree.out
@@ -8141,3 +8141,13 @@ FROM (VALUES ('.2.3', 'ltree'),
  !tree & aWdf@* | ltxtquery | t  |                |                            
        |                          | 
 (8 rows)
 
+-- Test for overflow of lquery_level.totallen, based on an lquery level with
+-- many OR-variants.
+SELECT (repeat('x', 1000) || repeat('|' || repeat('x', 1000), 65))::lquery;
+ERROR:  lquery level is too large
+DETAIL:  Total size of level exceeds the maximum allowed (65535 bytes).
+-- Test for overflow of lquery_level.numvar, with a set of single-char
+-- variants in one level.
+SELECT (repeat('a|', 65535) || 'a')::lquery;
+ERROR:  lquery level has too many variants
+DETAIL:  Number of variants exceeds the maximum allowed (65535).
diff --git a/contrib/ltree/ltree_io.c b/contrib/ltree/ltree_io.c
index 0a12c77a621..3a0a4266870 100644
--- a/contrib/ltree/ltree_io.c
+++ b/contrib/ltree/ltree_io.c
@@ -7,6 +7,7 @@
 
 #include <ctype.h>
 
+#include "common/int.h"
 #include "crc32.h"
 #include "libpq/pqformat.h"
 #include "ltree.h"
@@ -345,7 +346,12 @@ parse_lquery(const char *buf, struct Node *escontext)
                                        lptr++;
                                        lptr->start = ptr;
                                        state = LQPRS_WAITDELIM;
-                                       curqlevel->numvar++;
+                                       if 
(pg_add_u16_overflow(curqlevel->numvar, 1, &curqlevel->numvar))
+                                               ereturn(escontext, NULL,
+                                                               
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                                                errmsg("lquery 
level has too many variants"),
+                                                                
errdetail("Number of variants exceeds the maximum allowed (%d).",
+                                                                               
   PG_UINT16_MAX)));
                                }
                                else
                                        UNCHAR;
@@ -543,7 +549,16 @@ parse_lquery(const char *buf, struct Node *escontext)
                        lptr = GETVAR(curqlevel);
                        while (lptr - GETVAR(curqlevel) < curqlevel->numvar)
                        {
-                               cur->totallen += MAXALIGN(LVAR_HDRSIZE + 
lptr->len);
+                               int                     newlen = cur->totallen 
+ MAXALIGN(LVAR_HDRSIZE + lptr->len);
+
+                               if (newlen > PG_UINT16_MAX)
+                                       ereturn(escontext, NULL,
+                                                       
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                                        errmsg("lquery level 
is too large"),
+                                                        errdetail("Total size 
of level exceeds the maximum allowed (%d bytes).",
+                                                                          
PG_UINT16_MAX)));
+                               cur->totallen = (uint16) newlen;
+
                                lrptr->len = lptr->len;
                                lrptr->flag = lptr->flag;
                                lrptr->val = ltree_crc32_sz(lptr->start, 
lptr->len);
diff --git a/contrib/ltree/sql/ltree.sql b/contrib/ltree/sql/ltree.sql
index 7a62b760f66..98fa3f88c20 100644
--- a/contrib/ltree/sql/ltree.sql
+++ b/contrib/ltree/sql/ltree.sql
@@ -413,3 +413,11 @@ FROM (VALUES ('.2.3', 'ltree'),
              ('!tree & aWdf@*','ltxtquery'))
       AS a(str,typ),
      LATERAL pg_input_error_info(a.str, a.typ) as errinfo;
+
+-- Test for overflow of lquery_level.totallen, based on an lquery level with
+-- many OR-variants.
+SELECT (repeat('x', 1000) || repeat('|' || repeat('x', 1000), 65))::lquery;
+
+-- Test for overflow of lquery_level.numvar, with a set of single-char
+-- variants in one level.
+SELECT (repeat('a|', 65535) || 'a')::lquery;


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to