Prevent 4 more buffer overruns in the PL/PgSQL parser. This is just a

minimally-invasive fix for stable branches; a cleaner fix will be
committed to HEAD soon.

diff --git a/src/pl/plpgsql/src/gram.y b/src/pl/plpgsql/src/gram.y
index e630a9d9ebedf3af442d9c68e9ad47380a7f7318..a7eb2b3fee9c3ffd5b824f0d863c71450a42c834 100644 (file)
--- a/src/pl/plpgsql/src/gram.y
+++ b/src/pl/plpgsql/src/gram.y
@@ -4,7 +4,7 @@
  *                       procedural language
  *
  * IDENTIFICATION
- *   $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.48.2.1 2005/01/21 00:31:21 neilc Exp $
+ *   $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.48.2.2 2005/02/07 03:55:28 neilc Exp $
  *
  *   This software is copyrighted by Jan Wieck - Hamburg.
  *
@@ -1711,6 +1711,15 @@ read_sql_construct(int until,
                plpgsql_dstring_append(&ds, yytext);
                break;
        }
+
+       /* Check for array overflow */
+       if (nparams >= 1024)
+       {
+           plpgsql_error_lineno = lno;
+           ereport(ERROR,
+                   (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                    errmsg("too many variables specified in SQL statement")));
+       }
    }
 
    expr = malloc(sizeof(PLpgSQL_expr) + sizeof(int) * nparams - sizeof(int));
@@ -1856,6 +1865,15 @@ make_select_stmt(void)
 
                    while ((tok = yylex()) == ',')
                    {
+                       /* Check for array overflow */
+                       if (nfields >= 1024)
+                       {
+                           plpgsql_error_lineno = plpgsql_scanner_lineno();
+                           ereport(ERROR,
+                                   (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                    errmsg("too many INTO variables specified")));
+                       }
+
                        tok = yylex();
                        switch(tok)
                        {
@@ -1918,6 +1936,15 @@ make_select_stmt(void)
                plpgsql_dstring_append(&ds, yytext);
                break;
        }
+
+       /* Check for array overflow */
+       if (nparams >= 1024)
+       {
+           plpgsql_error_lineno = plpgsql_scanner_lineno();
+           ereport(ERROR,
+                   (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                    errmsg("too many variables specified in SQL statement")));
+       }
    }
 
    expr = malloc(sizeof(PLpgSQL_expr) + sizeof(int) * nparams - sizeof(int));
@@ -1989,6 +2016,15 @@ make_fetch_stmt(void)
 
                while ((tok = yylex()) == ',')
                {
+                   /* Check for array overflow */
+                   if (nfields >= 1024)
+                   {
+                       plpgsql_error_lineno = plpgsql_scanner_lineno();
+                       ereport(ERROR,
+                               (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+                                errmsg("too many INTO variables specified")));
+                   }
+
                    tok = yylex();
                    switch(tok)
                    {