diff -ruN postgresql-7.4.5-old/src/pl/plpgsql/src/gram.y postgresql-7.4.5/src/pl/plpgsql/src/gram.y
--- postgresql-7.4.5-old/src/pl/plpgsql/src/gram.y 2003-10-30 18:18:55.000000000 +0100
+++ postgresql-7.4.5/src/pl/plpgsql/src/gram.y 2005-02-10 13:24:10.871958168 +0100
@@ -512,6 +512,10 @@
{
int i = $1->nfields++;
+ /* Guard against overflowing the array on malicious input */
+ if (i >= 1024)
+ yyerror("too many parameters specified for refcursor");
+
$1->fieldnames[i] = $3->refname;
$1->varnos[i] = $3->varno;
@@ -1695,6 +1699,16 @@
}
if (plpgsql_SpaceScanned)
plpgsql_dstring_append(&ds, " ");
+
+ /* Check for array overflow */
+ if (nparams >= 1024)
+ {
+ plpgsql_error_lineno = lno;
+ ereport(ERROR,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("too many variables specified in SQL statement")));
+ }
+
switch (tok)
{
case T_VARIABLE:
@@ -1852,6 +1866,15 @@
while ((tok = yylex()) == ',')
{
+ /* Check for array overflow */
+ if (nfields >= 1024)
+ {
+ plpgsql_error_lineno = plpgsql_scanner_lineno();
+ ereport(ERROR,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("too many INTO variables specified")));
+ }
+
tok = yylex();
switch(tok)
{
@@ -1902,6 +1925,16 @@
if (plpgsql_SpaceScanned)
plpgsql_dstring_append(&ds, " ");
+
+ /* Check for array overflow */
+ if (nparams >= 1024)
+ {
+ plpgsql_error_lineno = plpgsql_scanner_lineno();
+ ereport(ERROR,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("too many variables specified in SQL statement")));
+ }
+
switch (tok)
{
case T_VARIABLE:
@@ -1985,6 +2018,15 @@
while ((tok = yylex()) == ',')
{
+ /* Check for array overflow */
+ if (nfields >= 1024)
+ {
+ plpgsql_error_lineno = plpgsql_scanner_lineno();
+ ereport(ERROR,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("too many INTO variables specified")));
+ }
+
tok = yylex();
switch(tok)
{
