From f919c165ebdc2f85e4584e959e002705a5a0a774 Mon Sep 17 00:00:00 2001
From: Alexander Korotkov
Date: Thu, 30 Aug 2018 14:18:53 +0300
Subject: Enforce cube dimension limit in all cube construction functions

contrib/cube has a limit to 100 dimensions for cube datatype.  However, it's
not enforced everywhere, and one can actually construct cube with more than
100 dimensions having then trouble with dump/restore.  This commit add checks
for dimensions limit in all functions responsible for cube construction.
Backpatch to all supported versions.

Reported-by: Andrew Gierth
Discussion: https://postgr.es/m/87va7uybt4.fsf%40news-spur.riddles.org.uk
Author: Andrey Borodin with small additions by me
Review: Tom Lane
Backpatch-through: 9.3
---
 contrib/cube/cube.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

(limited to 'contrib/cube/cube.c')

diff --git a/contrib/cube/cube.c b/contrib/cube/cube.c
index dfa8465d746..3bbfbf2847b 100644
--- a/contrib/cube/cube.c
+++ b/contrib/cube/cube.c
@@ -151,6 +151,13 @@ cube_a_f8_f8(PG_FUNCTION_ARGS)
 				 errmsg("cannot work with arrays containing NULLs")));
 
 	dim = ARRNELEMS(ur);
+	if (dim > CUBE_MAX_DIM)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+				 errmsg("can't extend cube"),
+				 errdetail("A cube cannot have more than %d dimensions.",
+							   CUBE_MAX_DIM)));
+
 	if (ARRNELEMS(ll) != dim)
 		ereport(ERROR,
 				(errcode(ERRCODE_ARRAY_ELEMENT_ERROR),
@@ -208,6 +215,12 @@ cube_a_f8(PG_FUNCTION_ARGS)
 				 errmsg("cannot work with arrays containing NULLs")));
 
 	dim = ARRNELEMS(ur);
+	if (dim > CUBE_MAX_DIM)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+				 errmsg("array is too long"),
+				 errdetail("A cube cannot have more than %d dimensions.",
+							   CUBE_MAX_DIM)));
 
 	dur = ARRPTR(ur);
 
@@ -242,6 +255,13 @@ cube_subset(PG_FUNCTION_ARGS)
 	dx = (int32 *) ARR_DATA_PTR(idx);
 
 	dim = ARRNELEMS(idx);
+	if (dim > CUBE_MAX_DIM)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+				 errmsg("array is too long"),
+				 errdetail("A cube cannot have more than %d dimensions.",
+							   CUBE_MAX_DIM)));
+
 	size = IS_POINT(c) ? POINT_SIZE(dim) : CUBE_SIZE(dim);
 	result = (NDBOX *) palloc0(size);
 	SET_VARSIZE(result, size);
@@ -1755,6 +1775,13 @@ cube_c_f8(PG_FUNCTION_ARGS)
 	int			size;
 	int			i;
 
+	if (DIM(cube) + 1 > CUBE_MAX_DIM)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+				 errmsg("can't extend cube"),
+				 errdetail("A cube cannot have more than %d dimensions.",
+							   CUBE_MAX_DIM)));
+
 	if (IS_POINT(cube))
 	{
 		size = POINT_SIZE((DIM(cube) + 1));
@@ -1796,6 +1823,13 @@ cube_c_f8_f8(PG_FUNCTION_ARGS)
 	int			size;
 	int			i;
 
+	if (DIM(cube) + 1 > CUBE_MAX_DIM)
+		ereport(ERROR,
+				(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+				 errmsg("can't extend cube"),
+				 errdetail("A cube cannot have more than %d dimensions.",
+							   CUBE_MAX_DIM)));
+
 	if (IS_POINT(cube) && (x1 == x2))
 	{
 		size = POINT_SIZE((DIM(cube) + 1));
-- 
cgit v1.2.3