diff -ruN postgresql-7.4.5-old/src/pl/plpgsql/src/gram.y postgresql-7.4.5/src/pl/plpgsql/src/gram.y --- postgresql-7.4.5-old/src/pl/plpgsql/src/gram.y 2003-10-30 18:18:55.000000000 +0100 +++ postgresql-7.4.5/src/pl/plpgsql/src/gram.y 2005-02-10 13:24:10.871958168 +0100 @@ -512,6 +512,10 @@ { int i = $1->nfields++; + /* Guard against overflowing the array on malicious input */ + if (i >= 1024) + yyerror("too many parameters specified for refcursor"); + $1->fieldnames[i] = $3->refname; $1->varnos[i] = $3->varno; @@ -1695,6 +1699,16 @@ } if (plpgsql_SpaceScanned) plpgsql_dstring_append(&ds, " "); + + /* Check for array overflow */ + if (nparams >= 1024) + { + plpgsql_error_lineno = lno; + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("too many variables specified in SQL statement"))); + } + switch (tok) { case T_VARIABLE: @@ -1852,6 +1866,15 @@ while ((tok = yylex()) == ',') { + /* Check for array overflow */ + if (nfields >= 1024) + { + plpgsql_error_lineno = plpgsql_scanner_lineno(); + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("too many INTO variables specified"))); + } + tok = yylex(); switch(tok) { @@ -1902,6 +1925,16 @@ if (plpgsql_SpaceScanned) plpgsql_dstring_append(&ds, " "); + + /* Check for array overflow */ + if (nparams >= 1024) + { + plpgsql_error_lineno = plpgsql_scanner_lineno(); + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("too many variables specified in SQL statement"))); + } + switch (tok) { case T_VARIABLE: @@ -1985,6 +2018,15 @@ while ((tok = yylex()) == ',') { + /* Check for array overflow */ + if (nfields >= 1024) + { + plpgsql_error_lineno = plpgsql_scanner_lineno(); + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("too many INTO variables specified"))); + } + tok = yylex(); switch(tok) {