Make palloc_array() and friends safe against integer overflow. Sufficiently large "count" arguments could result in undetected overflow, causing the allocated memory chunk to be much smaller than what the caller will subsequently write into it. This is unlikely to be a hazard with 64-bit size_t but can sometimes happen on 32-bit builds, primarily where a function allocates workspace that's significantly larger than its input data. Rather than trying to patch the at-risk callers piecemeal, let's just redefine these macros so that they always check.
To do that, move the longstanding add_size() and mul_size() functions into palloc.h and mcxt.c, and adjust them to not be specific to shared-memory allocation. Then invent palloc_mul(), palloc0_mul(), palloc_mul_extended() to use these functions. Actually, the latter use inlined copies to save one function call. repalloc_array() gets similar treatment. I didn't bother trying to inline the calls for repalloc0_array() though. In v14 and v15, this also adds repalloc_extended(), which previously was only available in v16 and up. We need copies of all this in fe_memutils.[hc] as well, since that module also provides palloc_array() etc. Reported-by: Xint Code Author: Tom Lane <[email protected]> Reviewed-by: Masahiko Sawada <[email protected]> Backpatch-through: 14 Security: CVE-2026-6473 Branch ------ REL_15_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/bfc5cea76d25fa7d2a881699121a09eebc0d5ec6 Author: Tom Lane <[email protected]> Modified Files -------------- src/backend/storage/ipc/shmem.c | 36 ------- src/backend/utils/mmgr/mcxt.c | 196 ++++++++++++++++++++++++++++++++++----- src/common/fe_memutils.c | 188 +++++++++++++++++++++++++++++++++++++ src/include/common/fe_memutils.h | 28 ++++-- src/include/storage/shmem.h | 2 - src/include/utils/memutils.h | 1 + src/include/utils/palloc.h | 22 ++++- 7 files changed, 401 insertions(+), 72 deletions(-)
