Prevent overrunning a heap-allocated buffer if more than 1024 parameters

to a refcursor declaration are specified. This is a minimally-invasive fix
for the buffer overrun -- a more thorough cleanup will be checked into
HEAD.

diff --git a/src/pl/plpgsql/src/gram.y b/src/pl/plpgsql/src/gram.y
index d10bde619f5e044882e567330b8bf9cf22c1e389..66f6edf2463faf56dc49d1efdebba721239cbc38 100644 (file)
--- a/src/pl/plpgsql/src/gram.y
+++ b/src/pl/plpgsql/src/gram.y
@@ -512,6 +512,10 @@ decl_cursor_arglist : decl_cursor_arg
                                        {
                                                int i = $1->nfields++;
 
+                                               /* Guard against overflowing the array on malicious input */
+                                               if (i >= 1024)
+                                                       yyerror("too many parameters specified for refcursor");
+
                                                $1->fieldnames[i] = $3->refname;
                                                $1->varnos[i] = $3->varno;