postgres
diff --git a/‎src/interfaces/libpq/fe-connect.c‎
Lines changed: 16 additions & 1 deletion b/‎src/interfaces/libpq/fe-connect.c‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎src/interfaces/libpq/fe-exec.c‎
Lines changed: 86 additions & 15 deletions b/‎src/interfaces/libpq/fe-exec.c‎
Lines changed: 86 additions & 15 deletions
diff --git a/‎src/interfaces/libpq/fe-print.c‎
Lines changed: 56 additions & 5 deletions b/‎src/interfaces/libpq/fe-print.c‎
Lines changed: 56 additions & 5 deletions
@@ -18,6 +18,7 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <ctype.h>
+#include <limits.h>
 #include <time.h>
 #include <unistd.h>
 
@@ -979,7 +980,7 @@ parse_comma_separated_list(char **startptr, bool *more)
 	char	   *p;
 	char	   *s = *startptr;
 	char	   *e;
-	int			len;
+	size_t		len;
 
 	/*
 	 * Search for the end of the current element; a comma or end-of-string
@@ -4904,7 +4905,21 @@ ldapServiceLookup(const char *purl, PQconninfoOption *options,
 	/* concatenate values into a single string with newline terminators */
 	size = 1;					/* for the trailing null */
 	for (i = 0; values[i] != NULL; i++)
+	{
+		if (values[i]->bv_len >= INT_MAX ||
+			size > (INT_MAX - (values[i]->bv_len + 1)))
+		{
+			printfPQExpBuffer(errorMessage,
+							  libpq_gettext("connection info string size exceeds the maximum allowed (%d)\n"),
+							  INT_MAX);
+			ldap_value_free_len(values);
+			ldap_unbind(ld);
+			return 3;
+		}
+
 		size += values[i]->bv_len + 1;
+	}
+
 	if ((result = malloc(size)) == NULL)
 	{
 		printfPQExpBuffer(errorMessage,
 
@@ -486,7 +486,7 @@ PQsetvalue(PGresult *res, int tup_num, int field_num, char *value, int len)
 	}
 	else
 	{
-		attval->value = (char *) pqResultAlloc(res, len + 1, true);
+		attval->value = (char *) pqResultAlloc(res, (size_t) len + 1, true);
 		if (!attval->value)
 			goto fail;
 		attval->len = len;
@@ -574,8 +574,13 @@ pqResultAlloc(PGresult *res, size_t nBytes, bool isBinary)
 	 */
 	if (nBytes >= PGRESULT_SEP_ALLOC_THRESHOLD)
 	{
-		size_t		alloc_size = nBytes + PGRESULT_BLOCK_OVERHEAD;
+		size_t		alloc_size;
 
+		/* Don't wrap around with overly large requests. */
+		if (nBytes > SIZE_MAX - PGRESULT_BLOCK_OVERHEAD)
+			return NULL;
+
+		alloc_size = nBytes + PGRESULT_BLOCK_OVERHEAD;
 		block = (PGresult_data *) malloc(alloc_size);
 		if (!block)
 			return NULL;
@@ -1181,7 +1186,7 @@ pqRowProcessor(PGconn *conn, const char **errmsgp)
 			bool		isbinary = (res->attDescs[i].format != 0);
 			char	   *val;
 
-			val = (char *) pqResultAlloc(res, clen + 1, isbinary);
+			val = (char *) pqResultAlloc(res, (size_t) clen + 1, isbinary);
 			if (val == NULL)
 				goto fail;
 
@@ -3474,6 +3479,27 @@ PQescapeString(char *to, const char *from, size_t length)
 }
 
 
+/*
+ * Frontend version of the backend's add_size(), intended to be API-compatible
+ * with the pg_add_*_overflow() helpers. Stores the result into *dst on success.
+ * Returns true instead if the addition overflows.
+ *
+ * TODO: move to common/int.h
+ */
+static bool
+add_size_overflow(size_t s1, size_t s2, size_t *dst)
+{
+	size_t		result;
+
+	result = s1 + s2;
+	if (result < s1 || result < s2)
+		return true;
+
+	*dst = result;
+	return false;
+}
+
+
 /*
  * Escape arbitrary strings.  If as_ident is true, we escape the result
  * as an identifier; if false, as a literal.  The result is returned in
@@ -3486,8 +3512,8 @@ PQescapeInternal(PGconn *conn, const char *str, size_t len, bool as_ident)
 	const char *s;
 	char	   *result;
 	char	   *rp;
-	int			num_quotes = 0; /* single or double, depending on as_ident */
-	int			num_backslashes = 0;
+	size_t		num_quotes = 0; /* single or double, depending on as_ident */
+	size_t		num_backslashes = 0;
 	size_t		input_len = strnlen(str, len);
 	size_t		result_size;
 	char		quote_char = as_ident ? '"' : '\'';
@@ -3552,10 +3578,21 @@ PQescapeInternal(PGconn *conn, const char *str, size_t len, bool as_ident)
 		}
 	}
 
-	/* Allocate output buffer. */
-	result_size = input_len + num_quotes + 3;	/* two quotes, plus a NUL */
+	/*
+	 * Allocate output buffer. Protect against overflow, in case the caller
+	 * has allocated a large fraction of the available size_t.
+	 */
+	if (add_size_overflow(input_len, num_quotes, &result_size) ||
+		add_size_overflow(result_size, 3, &result_size))	/* two quotes plus a NUL */
+		goto overflow;
+
 	if (!as_ident && num_backslashes > 0)
-		result_size += num_backslashes + 2;
+	{
+		if (add_size_overflow(result_size, num_backslashes, &result_size) ||
+			add_size_overflow(result_size, 2, &result_size))	/* for " E" prefix */
+			goto overflow;
+	}
+
 	result = rp = (char *) malloc(result_size);
 	if (rp == NULL)
 	{
@@ -3629,6 +3666,12 @@ PQescapeInternal(PGconn *conn, const char *str, size_t len, bool as_ident)
 	*rp = '\0';
 
 	return result;
+
+overflow:
+	appendPQExpBuffer(&conn->errorMessage,
+					  libpq_gettext("escaped string size exceeds the maximum allowed (%zu)\n"),
+					  SIZE_MAX);
+	return NULL;
 }
 
 char *
@@ -3694,30 +3737,51 @@ PQescapeByteaInternal(PGconn *conn,
 	unsigned char *result;
 	size_t		i;
 	size_t		len;
-	size_t		bslash_len = (std_strings ? 1 : 2);
+	const size_t bslash_len = (std_strings ? 1 : 2);
 
 	/*
-	 * empty string has 1 char ('\0')
+	 * Calculate the escaped length, watching for overflow as we do with
+	 * PQescapeInternal(). The following code relies on a small constant
+	 * bslash_len so that small additions and multiplications don't need their
+	 * own overflow checks.
+	 *
+	 * Start with the empty string, which has 1 char ('\0').
 	 */
 	len = 1;
 
 	if (use_hex)
 	{
-		len += bslash_len + 1 + 2 * from_length;
+		/* We prepend "\x" and double each input character. */
+		if (add_size_overflow(len, bslash_len + 1, &len) ||
+			add_size_overflow(len, from_length, &len) ||
+			add_size_overflow(len, from_length, &len))
+			goto overflow;
 	}
 	else
 	{
 		vp = from;
 		for (i = from_length; i > 0; i--, vp++)
 		{
 			if (*vp < 0x20 || *vp > 0x7e)
-				len += bslash_len + 3;
+			{
+				if (add_size_overflow(len, bslash_len + 3, &len))	/* octal "\ooo" */
+					goto overflow;
+			}
 			else if (*vp == '\'')
-				len += 2;
+			{
+				if (add_size_overflow(len, 2, &len))	/* double each quote */
+					goto overflow;
+			}
 			else if (*vp == '\\')
-				len += bslash_len + bslash_len;
+			{
+				if (add_size_overflow(len, bslash_len * 2, &len))	/* double each backslash */
+					goto overflow;
+			}
 			else
-				len++;
+			{
+				if (add_size_overflow(len, 1, &len))
+					goto overflow;
+			}
 		}
 	}
 
@@ -3779,6 +3843,13 @@ PQescapeByteaInternal(PGconn *conn,
 	*rp = '\0';
 
 	return result;
+
+overflow:
+	if (conn)
+		appendPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("escaped bytea size exceeds the maximum allowed (%zu)\n"),
+						  SIZE_MAX);
+	return NULL;
 }
 
 unsigned char *
 
@@ -108,6 +108,16 @@ PQprint(FILE *fout, const PGresult *res, const PQprintOpt *po)
 		}			screen_size;
 #endif
 
+		/*
+		 * Quick sanity check on po->fieldSep, since we make heavy use of int
+		 * math throughout.
+		 */
+		if (fs_len < strlen(po->fieldSep))
+		{
+			fprintf(stderr, libpq_gettext("overlong field separator\n"));
+			goto exit;
+		}
+
 		nTups = PQntuples(res);
 		fieldNames = (const char **) calloc(nFields, sizeof(char *));
 		fieldNotNum = (unsigned char *) calloc(nFields, 1);
@@ -409,7 +419,7 @@ do_field(const PQprintOpt *po, const PGresult *res,
 		{
 			if (plen > fieldMax[j])
 				fieldMax[j] = plen;
-			if (!(fields[i * nFields + j] = (char *) malloc(plen + 1)))
+			if (!(fields[i * nFields + j] = (char *) malloc((size_t) plen + 1)))
 			{
 				fprintf(stderr, libpq_gettext("out of memory\n"));
 				return false;
@@ -459,6 +469,27 @@ do_field(const PQprintOpt *po, const PGresult *res,
 }
 
 
+/*
+ * Frontend version of the backend's add_size(), intended to be API-compatible
+ * with the pg_add_*_overflow() helpers. Stores the result into *dst on success.
+ * Returns true instead if the addition overflows.
+ *
+ * TODO: move to common/int.h
+ */
+static bool
+add_size_overflow(size_t s1, size_t s2, size_t *dst)
+{
+	size_t		result;
+
+	result = s1 + s2;
+	if (result < s1 || result < s2)
+		return true;
+
+	*dst = result;
+	return false;
+}
+
+
 static char *
 do_header(FILE *fout, const PQprintOpt *po, const int nFields, int *fieldMax,
 		  const char **fieldNames, unsigned char *fieldNotNum,
@@ -471,15 +502,31 @@ do_header(FILE *fout, const PQprintOpt *po, const int nFields, int *fieldMax,
 		fputs("<tr>", fout);
 	else
 	{
-		int			tot = 0;
+		size_t		tot = 0;
 		int			n = 0;
 		char	   *p = NULL;
 
+		/* Calculate the border size, checking for overflow. */
 		for (; n < nFields; n++)
-			tot += fieldMax[n] + fs_len + (po->standard ? 2 : 0);
+		{
+			/* Field plus separator, plus 2 extra '-' in standard format. */
+			if (add_size_overflow(tot, fieldMax[n], &tot) ||
+				add_size_overflow(tot, fs_len, &tot) ||
+				(po->standard && add_size_overflow(tot, 2, &tot)))
+				goto overflow;
+		}
 		if (po->standard)
-			tot += fs_len * 2 + 2;
-		border = malloc(tot + 1);
+		{
+			/* An extra separator at the front and back. */
+			if (add_size_overflow(tot, fs_len, &tot) ||
+				add_size_overflow(tot, fs_len, &tot) ||
+				add_size_overflow(tot, 2, &tot))
+				goto overflow;
+		}
+		if (add_size_overflow(tot, 1, &tot))	/* terminator */
+			goto overflow;
+
+		border = malloc(tot);
 		if (!border)
 		{
 			fprintf(stderr, libpq_gettext("out of memory\n"));
@@ -542,6 +589,10 @@ do_header(FILE *fout, const PQprintOpt *po, const int nFields, int *fieldMax,
 	else
 		fprintf(fout, "\n%s\n", border);
 	return border;
+
+overflow:
+	fprintf(stderr, libpq_gettext("header size exceeds the maximum allowed\n"));
+	return NULL;
 }