Fix assorted places that need to use palloc_array(). multirange_recv and BlockRefTableReaderNextRelation were incautious about multiplying a possibly-large integer by a factor more than 1 and then using it as an allocation size. This is harmless on 64-bit systems where we'd compute a size exceeding MaxAllocSize and then fail, but on 32-bit systems we could overflow size_t leading to an undersized allocation and buffer overrun.
Fix these places by using palloc_array() instead of a handwritten multiplication. (In HEAD, some of them were fixed already, but none of that work got back-patched at the time.) In addition, BlockRefTableReaderNextRelation passes the same value to BlockRefTableRead's "int length" parameter. If built for 64-bit frontend code, palloc_array() allows a larger array size than it otherwise would, potentially allowing that parameter to overflow. Add an explicit check to forestall that and keep the behavior the same cross-platform. Reported-by: Xint Code Author: Tom Lane <[email protected]> Backpatch-through: 14 Security: CVE-2026-6473 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/01b5ef7df090c5921cbd373d80e100b1d529c656 Author: Tom Lane <[email protected]> Modified Files -------------- src/backend/utils/adt/multirangetypes.c | 9 +++++---- src/common/blkreftable.c | 27 ++++++++++++++++++++------- 2 files changed, 25 insertions(+), 11 deletions(-)
