Fix assorted places that need to use palloc_array(). multirange_recv and BlockRefTableReaderNextRelation were incautious about multiplying a possibly-large integer by a factor more than 1 and then using it as an allocation size. This is harmless on 64-bit systems where we'd compute a size exceeding MaxAllocSize and then fail, but on 32-bit systems we could overflow size_t leading to an undersized allocation and buffer overrun.
Fix these places by using palloc_array() instead of a handwritten multiplication. (In HEAD, some of them were fixed already, but none of that work got back-patched at the time.) In addition, BlockRefTableReaderNextRelation passes the same value to BlockRefTableRead's "int length" parameter. If built for 64-bit frontend code, palloc_array() allows a larger array size than it otherwise would, potentially allowing that parameter to overflow. Add an explicit check to forestall that and keep the behavior the same cross-platform. Reported-by: Xint Code Author: Tom Lane <[email protected]> Backpatch-through: 14 Security: CVE-2026-6473 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/c55cea5290647c8d3e571893078664bbca955017 Author: Tom Lane <[email protected]> Modified Files -------------- src/backend/utils/adt/multirangetypes.c | 3 ++- src/common/blkreftable.c | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-)
