Merge branch 'REL9_5_STABLE' into PGPRO9_5

vbwagner · vbwagner · commit 0a18be717766 · 2016-02-08T20:12:39.000+03:00
Merged fix for CVE-2016-0773
diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml
@@ -34,6 +34,19 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Fix infinite loops and buffer-overrun problems in regular expressions
+      (Tom Lane)
+     </para>
+
+     <para>
+      Very large character ranges in bracket expressions could cause
+      infinite loops in some cases, and memory overwrites in other cases.
+      (CVE-2016-0773)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Perform an immediate shutdown if the <filename>postmaster.pid</> file
diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml
@@ -34,6 +34,19 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Fix infinite loops and buffer-overrun problems in regular expressions
+      (Tom Lane)
+     </para>
+
+     <para>
+      Very large character ranges in bracket expressions could cause
+      infinite loops in some cases, and memory overwrites in other cases.
+      (CVE-2016-0773)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Perform an immediate shutdown if the <filename>postmaster.pid</> file
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
@@ -34,6 +34,19 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Fix infinite loops and buffer-overrun problems in regular expressions
+      (Tom Lane)
+     </para>
+
+     <para>
+      Very large character ranges in bracket expressions could cause
+      infinite loops in some cases, and memory overwrites in other cases.
+      (CVE-2016-0773)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Perform an immediate shutdown if the <filename>postmaster.pid</> file
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
@@ -65,6 +65,19 @@ Branch: REL9_4_STABLE [788e35ac0] 2015-11-05 18:15:48 -0500
      </para>
     </listitem>
 
+    <listitem>
+     <para>
+      Fix infinite loops and buffer-overrun problems in regular expressions
+      (Tom Lane)
+     </para>
+
+     <para>
+      Very large character ranges in bracket expressions could cause
+      infinite loops in some cases, and memory overwrites in other cases.
+      (CVE-2016-0773)
+     </para>
+    </listitem>
+
 <!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
 Branch: master [7e2a18a91] 2015-10-06 17:15:52 -0400
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
@@ -28,6 +28,29 @@
 
    <itemizedlist>
 
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [3bb3f42f3] 2016-02-08 10:25:40 -0500
+Branch: REL9_5_STABLE [a61de2bc1] 2016-02-08 10:25:40 -0500
+Branch: REL9_4_STABLE [fdc3139e2] 2016-02-08 10:25:40 -0500
+Branch: REL9_3_STABLE [6403a6b74] 2016-02-08 10:25:40 -0500
+Branch: REL9_2_STABLE [e93516cf7] 2016-02-08 10:25:40 -0500
+Branch: REL9_1_STABLE [98d6b7305] 2016-02-08 10:25:40 -0500
+-->
+
+    <listitem>
+     <para>
+      Fix infinite loops and buffer-overrun problems in regular expressions
+      (Tom Lane)
+     </para>
+
+     <para>
+      Very large character ranges in bracket expressions could cause
+      infinite loops in some cases, and memory overwrites in other cases.
+      (CVE-2016-0773)
+     </para>
+    </listitem>
+
 <!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
 Branch: master [f867ce551] 2016-02-07 12:29:32 -0500
@@ -41,6 +64,32 @@ Branch: REL9_5_STABLE [129db3cbe] 2016-02-07 12:29:17 -0500
      </para>
     </listitem>
 
+<!--
+Author: Andres Freund <andres@anarazel.de>
+Branch: master [a6897efab] 2016-02-08 11:03:31 +0100
+Branch: REL9_5_STABLE [87dbc72a7] 2016-02-08 11:03:37 +0100
+-->
+
+    <listitem>
+     <para>
+      Avoid pushdown of <literal>HAVING</> clauses when grouping sets are
+      used (Andrew Gierth)
+     </para>
+    </listitem>
+
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [cc2ca9319] 2016-02-07 14:57:24 -0500
+Branch: REL9_5_STABLE [82406d6ff] 2016-02-07 14:57:24 -0500
+-->
+
+    <listitem>
+     <para>
+      Fix deparsing of <literal>ON CONFLICT</> arbiter <literal>WHERE</>
+      clauses (Peter Geoghegan)
+     </para>
+    </listitem>
+
 <!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
 Branch: master [b8682a715] 2016-01-26 15:38:33 -0500
@@ -272,6 +321,8 @@ Branch: REL9_5_STABLE [40482e606] 2016-02-01 13:20:37 +0100
 Branch: REL9_3_STABLE [0b55fef39] 2016-02-01 13:19:10 +0100
 Branch: REL9_2_STABLE [d9ce5d201] 2016-02-01 13:19:34 +0100
 Branch: REL9_1_STABLE [79782b407] 2016-02-01 13:19:43 +0100
+Author: Andres Freund <andres@anarazel.de>
+Branch: REL9_4_STABLE [33b26426e] 2016-02-08 11:10:14 +0100
 -->
 
     <listitem>
diff --git a/src/backend/regex/regc_lex.c b/src/backend/regex/regc_lex.c
@@ -792,13 +792,13 @@ lexescape(struct vars * v)
 			break;
 		case CHR('u'):
 			c = lexdigits(v, 16, 4, 4);
-			if (ISERR())
+			if (ISERR() || c < CHR_MIN || c > CHR_MAX)
 				FAILW(REG_EESCAPE);
 			RETV(PLAIN, c);
 			break;
 		case CHR('U'):
 			c = lexdigits(v, 16, 8, 8);
-			if (ISERR())
+			if (ISERR() || c < CHR_MIN || c > CHR_MAX)
 				FAILW(REG_EESCAPE);
 			RETV(PLAIN, c);
 			break;
@@ -816,7 +816,7 @@ lexescape(struct vars * v)
 		case CHR('x'):
 			NOTE(REG_UUNPORT);
 			c = lexdigits(v, 16, 1, 255);		/* REs >255 long outside spec */
-			if (ISERR())
+			if (ISERR() || c < CHR_MIN || c > CHR_MAX)
 				FAILW(REG_EESCAPE);
 			RETV(PLAIN, c);
 			break;
@@ -872,6 +872,9 @@ lexescape(struct vars * v)
 
 /*
  * lexdigits - slurp up digits and return chr value
+ *
+ * This does not account for overflow; callers should range-check the result
+ * if maxlen is large enough to make that possible.
  */
 static chr						/* chr value; errors signalled via ERR */
 lexdigits(struct vars * v,
diff --git a/src/backend/regex/regc_locale.c b/src/backend/regex/regc_locale.c
@@ -408,8 +408,7 @@ range(struct vars * v,			/* context */
 	int			nchrs;
 	struct cvec *cv;
 	celt		c,
-				lc,
-				uc;
+				cc;
 
 	if (a != b && !before(a, b))
 	{
@@ -427,24 +426,51 @@ range(struct vars * v,			/* context */
 
 	/*
 	 * When case-independent, it's hard to decide when cvec ranges are usable,
-	 * so for now at least, we won't try.  We allocate enough space for two
-	 * case variants plus a little extra for the two title case variants.
+	 * so for now at least, we won't try.  We use a range for the originally
+	 * specified chrs and then add on any case-equivalents that are outside
+	 * that range as individual chrs.
+	 *
+	 * To ensure sane behavior if someone specifies a very large range, limit
+	 * the allocation size to 100000 chrs (arbitrary) and check for overrun
+	 * inside the loop below.
 	 */
+	nchrs = b - a + 1;
+	if (nchrs <= 0 || nchrs > 100000)
+		nchrs = 100000;
 
-	nchrs = (b - a + 1) * 2 + 4;
-
-	cv = getcvec(v, nchrs, 0);
+	cv = getcvec(v, nchrs, 1);
 	NOERRN();
+	addrange(cv, a, b);
 
 	for (c = a; c <= b; c++)
 	{
-		addchr(cv, c);
-		lc = pg_wc_tolower((chr) c);
-		if (c != lc)
-			addchr(cv, lc);
-		uc = pg_wc_toupper((chr) c);
-		if (c != uc)
-			addchr(cv, uc);
+		cc = pg_wc_tolower((chr) c);
+		if (cc != c &&
+			(before(cc, a) || before(b, cc)))
+		{
+			if (cv->nchrs >= cv->chrspace)
+			{
+				ERR(REG_ETOOBIG);
+				return NULL;
+			}
+			addchr(cv, cc);
+		}
+		cc = pg_wc_toupper((chr) c);
+		if (cc != c &&
+			(before(cc, a) || before(b, cc)))
+		{
+			if (cv->nchrs >= cv->chrspace)
+			{
+				ERR(REG_ETOOBIG);
+				return NULL;
+			}
+			addchr(cv, cc);
+		}
+		if (CANCEL_REQUESTED(v->re))
+		{
+			ERR(REG_CANCEL);
+			return NULL;
+		}
 	}
 
 	return cv;
diff --git a/src/backend/regex/regcomp.c b/src/backend/regex/regcomp.c
@@ -1586,6 +1586,7 @@ dovec(struct vars * v,
 	{
 		ch = *p;
 		newarc(v->nfa, PLAIN, subcolor(v->cm, ch), lp, rp);
+		NOERR();
 	}
 
 	/* and the ranges */
@@ -1595,6 +1596,7 @@ dovec(struct vars * v,
 		to = *(p + 1);
 		if (from <= to)
 			subrange(v, from, to, lp, rp);
+		NOERR();
 	}
 }
 
diff --git a/src/include/regex/regcustom.h b/src/include/regex/regcustom.h
@@ -65,7 +65,8 @@ typedef int celt;				/* type to hold chr, or NOCELT */
 #define DIGITVAL(c) ((c)-'0')	/* turn chr digit into its value */
 #define CHRBITS 32				/* bits in a chr; must not use sizeof */
 #define CHR_MIN 0x00000000		/* smallest and largest chr; the value */
-#define CHR_MAX 0xfffffffe		/* CHR_MAX-CHR_MIN+1 should fit in uchr */
+#define CHR_MAX 0x7ffffffe		/* CHR_MAX-CHR_MIN+1 must fit in an int, and
+								 * CHR_MAX+1 must fit in both chr and celt */
 
 /* functions operating on chr */
 #define iscalnum(x) pg_wc_isalnum(x)
diff --git a/src/test/regress/expected/regex.out b/src/test/regress/expected/regex.out
@@ -326,3 +326,5 @@ select 'xyz' ~ 'x(\w)(?=\1)';  -- no backrefs in LACONs
 ERROR:  invalid regular expression: invalid backreference number
 select 'xyz' ~ 'x(\w)(?=(\1))';
 ERROR:  invalid regular expression: invalid backreference number
+select 'a' ~ '\x7fffffff';  -- invalid chr code
+ERROR:  invalid regular expression: invalid escape \ sequence
diff --git a/src/test/regress/sql/regex.sql b/src/test/regress/sql/regex.sql
@@ -86,3 +86,4 @@ select 'a' ~ '()+\1';
 -- Error conditions
 select 'xyz' ~ 'x(\w)(?=\1)';  -- no backrefs in LACONs
 select 'xyz' ~ 'x(\w)(?=(\1))';
+select 'a' ~ '\x7fffffff';  -- invalid chr code

Original file line number	Diff line number	Diff line change
`@@ -1586,6 +1586,7 @@ dovec(struct vars * v,`
`1586`	`1586`	`{`
`1587`	`1587`	`ch = *p;`
`1588`	`1588`	`newarc(v->nfa, PLAIN, subcolor(v->cm, ch), lp, rp);`
	`1589`	`+ NOERR();`
`1589`	`1590`	`}`
`1590`	`1591`
`1591`	`1592`	`/* and the ranges */`
`@@ -1595,6 +1596,7 @@ dovec(struct vars * v,`
`1595`	`1596`	`to = *(p + 1);`
`1596`	`1597`	`if (from <= to)`
`1597`	`1598`	`subrange(v, from, to, lp, rp);`
	`1599`	`+ NOERR();`
`1598`	`1600`	`}`
`1599`	`1601`	`}`
`1600`	`1602`