From 71627f3d1964ef9831ea7997d2f4ac5617c718cc Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Wed, 13 Feb 2013 16:20:01 -0500
Subject: [PATCH] Fix CVE-2013-0255 properly.

Revert commit ab0f7b6089fd215f6ce6081e2e222c38d643a526 (in HEAD only)
in favor of the proper solution, which is to declare enum_recv() correctly
in the system catalogs.  It should be declared to take type "internal"
not "cstring".

Also improve the type_sanity regression test, which should have caught
this typo, so that it actually would.  Most of the relevant checks on
the signature of type I/O functions should not have been restricted to
basetypes/pseudotypes, as they should apply to any type's I/O functions.
---
 src/backend/utils/adt/enum.c              |  5 -----
 src/include/catalog/catversion.h          |  2 +-
 src/include/catalog/pg_proc.h             |  2 +-
 src/test/regress/expected/type_sanity.out | 16 ++++++++++------
 src/test/regress/sql/type_sanity.sql      | 16 ++++++++++------
 5 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/src/backend/utils/adt/enum.c b/src/backend/utils/adt/enum.c
index 1eb8ccfaee5..01a726be447 100644
--- a/src/backend/utils/adt/enum.c
+++ b/src/backend/utils/adt/enum.c
@@ -18,7 +18,6 @@
 #include "access/htup_details.h"
 #include "catalog/indexing.h"
 #include "catalog/pg_enum.h"
-#include "catalog/pg_type.h"
 #include "libpq/pqformat.h"
 #include "utils/array.h"
 #include "utils/builtins.h"
@@ -105,10 +104,6 @@ enum_recv(PG_FUNCTION_ARGS)
 	char	   *name;
 	int			nbytes;
 
-	/* guard against pre-9.3 misdeclaration of enum_recv */
-	if (get_fn_expr_argtype(fcinfo->flinfo, 0) == CSTRINGOID)
-		elog(ERROR, "invalid argument for enum_recv");
-
 	name = pq_getmsgtext(buf, buf->len - buf->cursor, &nbytes);
 
 	/* must check length to prevent Assert failure within SearchSysCache */
diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h
index 4b8fa0175b3..2b8df5eaf6f 100644
--- a/src/include/catalog/catversion.h
+++ b/src/include/catalog/catversion.h
@@ -53,6 +53,6 @@
  */
 
 /*							yyyymmddN */
-#define CATALOG_VERSION_NO	201301231
+#define CATALOG_VERSION_NO	201302131
 
 #endif
diff --git a/src/include/catalog/pg_proc.h b/src/include/catalog/pg_proc.h
index 028e1684ff0..d9f50d22d2a 100644
--- a/src/include/catalog/pg_proc.h
+++ b/src/include/catalog/pg_proc.h
@@ -4160,7 +4160,7 @@ DATA(insert OID = 3530 (  enum_range	PGNSP PGUID 12 1 0 0 0 f f f f f f s 2 0 22
 DESCR("range between the two given enum values, as an ordered array");
 DATA(insert OID = 3531 (  enum_range	PGNSP PGUID 12 1 0 0 0 f f f f f f s 1 0 2277 "3500" _null_ _null_ _null_ _null_ enum_range_all _null_ _null_ _null_ ));
 DESCR("range of the given enum type, as an ordered array");
-DATA(insert OID = 3532 (  enum_recv		PGNSP PGUID 12 1 0 0 0 f f f f t f s 2 0 3500 "2275 26" _null_ _null_ _null_ _null_ enum_recv _null_ _null_ _null_ ));
+DATA(insert OID = 3532 (  enum_recv		PGNSP PGUID 12 1 0 0 0 f f f f t f s 2 0 3500 "2281 26" _null_ _null_ _null_ _null_ enum_recv _null_ _null_ _null_ ));
 DESCR("I/O");
 DATA(insert OID = 3533 (  enum_send		PGNSP PGUID 12 1 0 0 0 f f f f t f s 1 0 17 "3500" _null_ _null_ _null_ _null_ enum_send _null_ _null_ _null_ ));
 DESCR("I/O");
diff --git a/src/test/regress/expected/type_sanity.out b/src/test/regress/expected/type_sanity.out
index 70eab923702..3616c8dbd09 100644
--- a/src/test/regress/expected/type_sanity.out
+++ b/src/test/regress/expected/type_sanity.out
@@ -117,8 +117,10 @@ WHERE (p1.typinput = 0 OR p1.typoutput = 0);
 -- Check for bogus typinput routines
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typinput = p2.oid AND p1.typtype in ('b', 'p') AND NOT
+WHERE p1.typinput = p2.oid AND NOT
     ((p2.pronargs = 1 AND p2.proargtypes[0] = 'cstring'::regtype) OR
+     (p2.pronargs = 2 AND p2.proargtypes[0] = 'cstring'::regtype AND
+      p2.proargtypes[1] = 'oid'::regtype) OR
      (p2.pronargs = 3 AND p2.proargtypes[0] = 'cstring'::regtype AND
       p2.proargtypes[1] = 'oid'::regtype AND
       p2.proargtypes[2] = 'int4'::regtype));
@@ -143,7 +145,7 @@ ORDER BY 1;
 -- Exception as of 8.1: int2vector and oidvector have their own I/O routines
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typinput = p2.oid AND p1.typtype in ('b', 'p') AND
+WHERE p1.typinput = p2.oid AND
     (p1.typelem != 0 AND p1.typlen < 0) AND NOT
     (p2.oid = 'array_in'::regproc)
 ORDER BY 1;
@@ -184,7 +186,7 @@ ORDER BY 1;
 
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typoutput = p2.oid AND p1.typtype in ('b', 'p') AND NOT
+WHERE p1.typoutput = p2.oid AND NOT
     (p2.prorettype = 'cstring'::regtype AND NOT p2.proretset);
  oid | typname | oid | proname 
 -----+---------+-----+---------
@@ -213,8 +215,10 @@ WHERE p1.typtype = 'd' AND p1.typoutput IS DISTINCT FROM p2.typoutput;
 -- Check for bogus typreceive routines
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typreceive = p2.oid AND p1.typtype in ('b', 'p') AND NOT
+WHERE p1.typreceive = p2.oid AND NOT
     ((p2.pronargs = 1 AND p2.proargtypes[0] = 'internal'::regtype) OR
+     (p2.pronargs = 2 AND p2.proargtypes[0] = 'internal'::regtype AND
+      p2.proargtypes[1] = 'oid'::regtype) OR
      (p2.pronargs = 3 AND p2.proargtypes[0] = 'internal'::regtype AND
       p2.proargtypes[1] = 'oid'::regtype AND
       p2.proargtypes[2] = 'int4'::regtype));
@@ -239,7 +243,7 @@ ORDER BY 1;
 -- Exception as of 8.1: int2vector and oidvector have their own I/O routines
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typreceive = p2.oid AND p1.typtype in ('b', 'p') AND
+WHERE p1.typreceive = p2.oid AND
     (p1.typelem != 0 AND p1.typlen < 0) AND NOT
     (p2.oid = 'array_recv'::regproc)
 ORDER BY 1;
@@ -289,7 +293,7 @@ ORDER BY 1;
 
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typsend = p2.oid AND p1.typtype in ('b', 'p') AND NOT
+WHERE p1.typsend = p2.oid AND NOT
     (p2.prorettype = 'bytea'::regtype AND NOT p2.proretset);
  oid | typname | oid | proname 
 -----+---------+-----+---------
diff --git a/src/test/regress/sql/type_sanity.sql b/src/test/regress/sql/type_sanity.sql
index 413b220d592..14cb5408b79 100644
--- a/src/test/regress/sql/type_sanity.sql
+++ b/src/test/regress/sql/type_sanity.sql
@@ -96,8 +96,10 @@ WHERE (p1.typinput = 0 OR p1.typoutput = 0);
 
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typinput = p2.oid AND p1.typtype in ('b', 'p') AND NOT
+WHERE p1.typinput = p2.oid AND NOT
     ((p2.pronargs = 1 AND p2.proargtypes[0] = 'cstring'::regtype) OR
+     (p2.pronargs = 2 AND p2.proargtypes[0] = 'cstring'::regtype AND
+      p2.proargtypes[1] = 'oid'::regtype) OR
      (p2.pronargs = 3 AND p2.proargtypes[0] = 'cstring'::regtype AND
       p2.proargtypes[1] = 'oid'::regtype AND
       p2.proargtypes[2] = 'int4'::regtype));
@@ -115,7 +117,7 @@ ORDER BY 1;
 -- Exception as of 8.1: int2vector and oidvector have their own I/O routines
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typinput = p2.oid AND p1.typtype in ('b', 'p') AND
+WHERE p1.typinput = p2.oid AND
     (p1.typelem != 0 AND p1.typlen < 0) AND NOT
     (p2.oid = 'array_in'::regproc)
 ORDER BY 1;
@@ -141,7 +143,7 @@ ORDER BY 1;
 
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typoutput = p2.oid AND p1.typtype in ('b', 'p') AND NOT
+WHERE p1.typoutput = p2.oid AND NOT
     (p2.prorettype = 'cstring'::regtype AND NOT p2.proretset);
 
 -- Composites, enums, ranges should all use the same output routines
@@ -159,8 +161,10 @@ WHERE p1.typtype = 'd' AND p1.typoutput IS DISTINCT FROM p2.typoutput;
 
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typreceive = p2.oid AND p1.typtype in ('b', 'p') AND NOT
+WHERE p1.typreceive = p2.oid AND NOT
     ((p2.pronargs = 1 AND p2.proargtypes[0] = 'internal'::regtype) OR
+     (p2.pronargs = 2 AND p2.proargtypes[0] = 'internal'::regtype AND
+      p2.proargtypes[1] = 'oid'::regtype) OR
      (p2.pronargs = 3 AND p2.proargtypes[0] = 'internal'::regtype AND
       p2.proargtypes[1] = 'oid'::regtype AND
       p2.proargtypes[2] = 'int4'::regtype));
@@ -178,7 +182,7 @@ ORDER BY 1;
 -- Exception as of 8.1: int2vector and oidvector have their own I/O routines
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typreceive = p2.oid AND p1.typtype in ('b', 'p') AND
+WHERE p1.typreceive = p2.oid AND
     (p1.typelem != 0 AND p1.typlen < 0) AND NOT
     (p2.oid = 'array_recv'::regproc)
 ORDER BY 1;
@@ -210,7 +214,7 @@ ORDER BY 1;
 
 SELECT p1.oid, p1.typname, p2.oid, p2.proname
 FROM pg_type AS p1, pg_proc AS p2
-WHERE p1.typsend = p2.oid AND p1.typtype in ('b', 'p') AND NOT
+WHERE p1.typsend = p2.oid AND NOT
     (p2.prorettype = 'bytea'::regtype AND NOT p2.proretset);
 
 -- Composites, enums, ranges should all use the same send routines
-- 
GitLab