From 5d93cf04761ce50810f911d27335a1b32fd772ce Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jun 14 2021 07:25:12 +0000
Subject: import postgresql-9.2.24-7.el7_9


---

diff --git a/SOURCES/postgresql-CVE-2021-32027.patch b/SOURCES/postgresql-CVE-2021-32027.patch
new file mode 100644
index 0000000..ddb7335
--- /dev/null
+++ b/SOURCES/postgresql-CVE-2021-32027.patch
@@ -0,0 +1,154 @@
+Author: Filip Januš <fjanus@redhat.com>
+Backport of https://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=0c1caa48d3ccb7a5d1343b53aa32fcae45dc2d00
+
+diff -ur postgresql-9.2.24/src/backend/executor/execQual.c postgresql-9.2.24-patched/src/backend/executor/execQual.c
+--- postgresql-9.2.24/src/backend/executor/execQual.c	2017-11-06 23:17:39.000000000 +0100
++++ postgresql-9.2.24-patched/src/backend/executor/execQual.c	2021-06-02 10:05:19.781390954 +0200
+@@ -3212,6 +3212,9 @@
+ 			dims[i] = elem_dims[i - 1];
+ 			lbs[i] = elem_lbs[i - 1];
+ 		}
++        /* Check subscript owerflow */
++        (void) ArrayGetNItems(ndims, dims);
++        ArrayCheckBounds(ndims, dims, lbs);
+ 
+ 		if (havenulls)
+ 		{
+diff -ur postgresql-9.2.24/src/backend/utils/adt/arrayfuncs.c postgresql-9.2.24-patched/src/backend/utils/adt/arrayfuncs.c
+--- postgresql-9.2.24/src/backend/utils/adt/arrayfuncs.c	2017-11-06 23:17:39.000000000 +0100
++++ postgresql-9.2.24-patched/src/backend/utils/adt/arrayfuncs.c	2021-06-02 10:05:19.785391004 +0200
+@@ -325,7 +325,9 @@
+ 
+ 	/* This checks for overflow of the array dimensions */
+ 	nitems = ArrayGetNItems(ndim, dim);
+-	/* Empty array? */
++	ArrayCheckBounds(ndim, dim, lBound);
++
++    /* Empty array? */
+ 	if (nitems == 0)
+ 		PG_RETURN_ARRAYTYPE_P(construct_empty_array(element_type));
+ 
+@@ -1261,24 +1263,11 @@
+ 		dim[i] = pq_getmsgint(buf, 4);
+ 		lBound[i] = pq_getmsgint(buf, 4);
+ 
+-		/*
+-		 * Check overflow of upper bound. (ArrayNItems() below checks that
+-		 * dim[i] >= 0)
+-		 */
+-		if (dim[i] != 0)
+-		{
+-			int			ub = lBound[i] + dim[i] - 1;
+-
+-			if (lBound[i] > ub)
+-				ereport(ERROR,
+-						(errcode(ERRCODE_NUMERIC_VALUE_OUT_OF_RANGE),
+-						 errmsg("integer out of range")));
+-		}
+ 	}
+ 
+ 	/* This checks for overflow of array dimensions */
+ 	nitems = ArrayGetNItems(ndim, dim);
+-
++    ArrayCheckBounds(ndim, dim, lBound);
+ 	/*
+ 	 * We arrange to look up info about element type, including its receive
+ 	 * conversion proc, only once per series of calls, assuming the element
+@@ -2074,7 +2063,7 @@
+ 					(errcode(ERRCODE_ARRAY_SUBSCRIPT_ERROR),
+ 					 errmsg("wrong number of array subscripts")));
+ 
+-		if (indx[0] < 0 || indx[0] * elmlen >= arraytyplen)
++		if (indx[0] < 0 || indx[0] >= arraytyplen / elmlen)
+ 			ereport(ERROR,
+ 					(errcode(ERRCODE_ARRAY_SUBSCRIPT_ERROR),
+ 					 errmsg("array subscript out of range")));
+@@ -2178,6 +2167,8 @@
+ 	 * Compute sizes of items and areas to copy
+ 	 */
+ 	newnitems = ArrayGetNItems(ndim, dim);
++    /* Check for overflow of the array dimension */
++    ArrayCheckBounds(ndim, dim, lb);
+ 	if (newhasnulls)
+ 		overheadlen = ARR_OVERHEAD_WITHNULLS(ndim, newnitems);
+ 	else
+@@ -2481,6 +2472,7 @@
+ 
+ 	/* Do this mainly to check for overflow */
+ 	nitems = ArrayGetNItems(ndim, dim);
++    ArrayCheckBounds(ndim, dim, lb);
+ 
+ 	/*
+ 	 * Make sure source array has enough entries.  Note we ignore the shape of
+@@ -2919,6 +2911,7 @@
+ 		return construct_empty_array(elmtype);
+ 
+ 	nelems = ArrayGetNItems(ndims, dims);
++    ArrayCheckBounds(ndims, dims, lbs);
+ 
+ 	/* compute required space */
+ 	nbytes = 0;
+@@ -4965,6 +4958,7 @@
+ 	}
+ 
+ 	nitems = ArrayGetNItems(ndims, dimv);
++    ArrayCheckBounds(ndims,dimv, lbsv);
+ 
+ 	/* fast track for empty array */
+ 	if (nitems <= 0)
+diff -ur postgresql-9.2.24/src/backend/utils/adt/array_userfuncs.c postgresql-9.2.24-patched/src/backend/utils/adt/array_userfuncs.c
+--- postgresql-9.2.24/src/backend/utils/adt/array_userfuncs.c	2017-11-06 23:17:39.000000000 +0100
++++ postgresql-9.2.24-patched/src/backend/utils/adt/array_userfuncs.c	2021-06-02 10:05:19.785391004 +0200
+@@ -362,6 +362,7 @@
+ 
+ 	/* Do this mainly for overflow checking */
+ 	nitems = ArrayGetNItems(ndims, dims);
++    ArrayCheckBounds(ndims, dims, lbs);
+ 
+ 	/* build the result array */
+ 	ndatabytes = ndatabytes1 + ndatabytes2;
+diff -ur postgresql-9.2.24/src/backend/utils/adt/arrayutils.c postgresql-9.2.24-patched/src/backend/utils/adt/arrayutils.c
+--- postgresql-9.2.24/src/backend/utils/adt/arrayutils.c	2017-11-06 23:17:39.000000000 +0100
++++ postgresql-9.2.24-patched/src/backend/utils/adt/arrayutils.c	2021-06-02 10:05:19.782390966 +0200
+@@ -233,3 +233,29 @@
+ 
+ 	return result;
+ }
++/*
++ * Verify sanity of proposed lower-bound values for an array
++ *
++ * The lower-bound values must not be so large as to cause overflow when
++ * calculating subscripts, e.g. lower bound 2147483640 with length 10
++ * must be disallowed.  We actually insist that dims[i] + lb[i] be
++ * computable without overflow, meaning that an array with last subscript
++ * equal to INT_MAX will be disallowed.
++ *
++ * It is assumed that the caller already called ArrayGetNItems, so that
++ * overflowed (negative) dims[] values have been eliminated.
++ */
++void
++ArrayCheckBounds(int ndim, const int *dims, const int *lb)
++{
++	int	i;
++
++	for (i = 0; i < ndim; i++)
++	{
++		if (dims[i] + lb[i] < lb[i])
++			ereport(ERROR,
++					(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
++					 errmsg("array lower bound is too large: %d",
++							lb[i])));
++	}
++}
+diff -ur postgresql-9.2.24/src/include/utils/array.h postgresql-9.2.24-patched/src/include/utils/array.h
+--- postgresql-9.2.24/src/include/utils/array.h	2017-11-06 23:17:39.000000000 +0100
++++ postgresql-9.2.24-patched/src/include/utils/array.h	2021-06-02 10:05:19.713390098 +0200
+@@ -273,7 +273,7 @@
+ extern void mda_get_offset_values(int n, int *dist, const int *prod, const int *span);
+ extern int	mda_next_tuple(int n, int *curr, const int *span);
+ extern int32 *ArrayGetIntegerTypmods(ArrayType *arr, int *n);
+-
++extern void ArrayCheckBounds(int ndim, const int *dims, const int *lb);
+ /*
+  * prototypes for functions defined in array_userfuncs.c
+  */
diff --git a/SPECS/postgresql.spec b/SPECS/postgresql.spec
index 7a8be89..4138d9f 100644
--- a/SPECS/postgresql.spec
+++ b/SPECS/postgresql.spec
@@ -63,7 +63,7 @@ Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 9.2
 Version: 9.2.24
-Release: 6%{?dist}
+Release: 7%{?dist}
 
 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@@ -156,6 +156,7 @@ Patch18: postgresql-9.2.24-CVE-2020-25695.patch
 # Upstream commit: ffa2d37e5fbd1243f918f622113d6e371667e5a0
 # See BZ#1741488
 Patch19: postgresql-9.2.24-CVE-2019-10208.patch
+Patch20: postgresql-CVE-2021-32027.patch
 
 BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk help2man
 BuildRequires: perl(ExtUtils::Embed), perl-devel
@@ -400,6 +401,7 @@ benchmarks.
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
 
 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.
@@ -1197,6 +1199,10 @@ fi
 %endif
 
 %changelog
+* Wed Jul 2 2021 Filip Januš <fjanus@redhat.com> - 9.2.24-7
+- Fix CVE-2021-32027
+- Resolves: #1964507
+
 * Wed Apr 14 2021 Patrik Novotný <panovotn@redhat.com> - 9.2.24-6
 - Patch fixing BZ#1741488 CVE-2019-10208