.gitignore

@@ -1,4 +1,6 @@
-SOURCES/postgresql-10.23-US.pdf
-SOURCES/postgresql-10.23.tar.bz2
-SOURCES/postgresql-9.2.24.tar.bz2
-SOURCES/postgresql-setup-8.7.tar.gz
+/postgresql-10.23.tar.bz2
+/postgresql-10.23.tar.bz2.sha256
+/postgresql-9.2.24.tar.bz2
+/postgresql-9.2.24.tar.bz2.sha256
+/postgresql-setup-8.7.tar.gz
+/postgresql-10.23-US.pdf

.postgresql.metadata

@@ -1,4 +0,0 @@
-a416c245ff0815fbde534bc49b0a07ffdd373894 SOURCES/postgresql-10.23-US.pdf
-2df7b4b3751112f3cb543c3ea81e45531bebc7a1 SOURCES/postgresql-10.23.tar.bz2
-63d6966ccdbab6aae1f9754fdb8e341ada1ef653 SOURCES/postgresql-9.2.24.tar.bz2
-fb97095dc9648f9c31d58fcb406831da5e419ddf SOURCES/postgresql-setup-8.7.tar.gz

SOURCES/postgresql-10.23.tar.bz2.sha256

@@ -1 +0,0 @@
-94a4b2528372458e5662c18d406629266667c437198160a18cdfd2c4a4d6eee9  postgresql-10.23.tar.bz2

SOURCES/postgresql-9.2.24.tar.bz2.sha256

@@ -1 +0,0 @@
-a754c02f7051c2f21e52f8669a421b50485afcde9a581674d6106326b189d126  postgresql-9.2.24.tar.bz2

generate-sources-and-gitignore.sh

@@ -0,0 +1,13 @@
+#! /bin/sh
+
+rm sources .gitignore
+set -e
+spectool -S *.spec | cut -d' ' -f2 \
+    | grep -E -e 'postgresql-.*\.tar\.*' -e 'postgresql.*\.pdf' | sort | \
+while read line
+do
+    base=`basename "$line"`
+    echo " * handling $base"
+    sha512sum --tag "$base" >> sources
+    echo "/$base" >> .gitignore
+done

hstore-plperl-data-dumper.patch

@@ -0,0 +1,192 @@
+From 69db3b0cfccc0687dfbdf56afcfb2f8e536053c6 Mon Sep 17 00:00:00 2001
+From: Andrew Dunstan <andrew@dunslane.net>
+Date: Sun, 14 May 2017 01:10:18 -0400
+Subject: [PATCH] Suppress indentation from Data::Dumper in regression tests
+
+Ultra-modern versions of the perl Data::Dumper module have apparently
+changed how they indent output. Instead of trying to keep up we choose
+to tell it to supporess all indentation in the hstore_plperl regression
+tests.
+
+Backpatch to 9.5 where this feature was introduced.
+---
+ contrib/hstore_plperl/expected/hstore_plperlu.out | 44 ++++++-----------------
+ contrib/hstore_plperl/sql/hstore_plperlu.sql      |  6 ++++
+ 2 files changed, 17 insertions(+), 33 deletions(-)
+
+diff --git a/contrib/hstore_plperl/expected/hstore_plperlu.out b/contrib/hstore_plperl/expected/hstore_plperlu.out
+index b09fb78..d719d29 100644
+--- a/contrib/hstore_plperl/expected/hstore_plperlu.out
++++ b/contrib/hstore_plperl/expected/hstore_plperlu.out
+@@ -20,15 +20,12 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_[0]));
+ return scalar(keys %{$_[0]});
+ $$;
+ SELECT test1('aa=>bb, cc=>NULL'::hstore);
+-INFO:  $VAR1 = {
+-          'aa' => 'bb',
+-          'cc' => undef
+-        };
+-
++INFO:  $VAR1 = {'aa' => 'bb','cc' => undef};
+  test1 
+ -------
+      2
+@@ -39,12 +36,12 @@ LANGUAGE plperlu
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_[0]));
+ return scalar(keys %{$_[0]});
+ $$;
+ SELECT test1none('aa=>bb, cc=>NULL'::hstore);
+ INFO:  $VAR1 = '"aa"=>"bb", "cc"=>NULL';
+-
+  test1none 
+ -----------
+          0
+@@ -56,15 +53,12 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_[0]));
+ return scalar(keys %{$_[0]});
+ $$;
+ SELECT test1list('aa=>bb, cc=>NULL'::hstore);
+-INFO:  $VAR1 = {
+-          'aa' => 'bb',
+-          'cc' => undef
+-        };
+-
++INFO:  $VAR1 = {'aa' => 'bb','cc' => undef};
+  test1list 
+ -----------
+          2
+@@ -77,18 +71,12 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_[0]->[0], $_[0]->[1]));
+ return scalar(keys %{$_[0]});
+ $$;
+ SELECT test1arr(array['aa=>bb, cc=>NULL'::hstore, 'dd=>ee']);
+-INFO:  $VAR1 = {
+-          'aa' => 'bb',
+-          'cc' => undef
+-        };
+-$VAR2 = {
+-          'dd' => 'ee'
+-        };
+-
++INFO:  $VAR1 = {'aa' => 'bb','cc' => undef};$VAR2 = {'dd' => 'ee'};
+  test1arr 
+ ----------
+         2
+@@ -101,6 +89,7 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ 
+ $rv = spi_exec_query(q{SELECT 'aa=>bb, cc=>NULL'::hstore AS col1});
+ elog(INFO, Dumper($rv->{rows}[0]->{col1}));
+@@ -111,13 +100,8 @@ $rv = spi_exec_prepared($plan, {}, $val);
+ elog(INFO, Dumper($rv->{rows}[0]->{col1}));
+ $$;
+ SELECT test3();
+-INFO:  $VAR1 = {
+-          'aa' => 'bb',
+-          'cc' => undef
+-        };
+-
++INFO:  $VAR1 = {'aa' => 'bb','cc' => undef};
+ INFO:  $VAR1 = '"a"=>"1", "b"=>"boo", "c"=>NULL';
+-
+  test3 
+ -------
+  
+@@ -138,6 +122,7 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_TD->{new}));
+ if ($_TD->{new}{a} == 1) {
+     $_TD->{new}{b} = {a => 1, b => 'boo', c => undef};
+@@ -147,14 +132,7 @@ return "MODIFY";
+ $$;
+ CREATE TRIGGER test4 BEFORE UPDATE ON test1 FOR EACH ROW EXECUTE PROCEDURE test4();
+ UPDATE test1 SET a = a;
+-INFO:  $VAR1 = {
+-          'a' => '1',
+-          'b' => {
+-                 'aa' => 'bb',
+-                 'cc' => undef
+-               }
+-        };
+-
++INFO:  $VAR1 = {'a' => '1','b' => {'aa' => 'bb','cc' => undef}};
+ SELECT * FROM test1;
+  a |                b                
+ ---+---------------------------------
+diff --git a/contrib/hstore_plperl/sql/hstore_plperlu.sql b/contrib/hstore_plperl/sql/hstore_plperlu.sql
+index 8d8508c..c714b35 100644
+--- a/contrib/hstore_plperl/sql/hstore_plperlu.sql
++++ b/contrib/hstore_plperl/sql/hstore_plperlu.sql
+@@ -15,6 +15,7 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_[0]));
+ return scalar(keys %{$_[0]});
+ $$;
+@@ -26,6 +27,7 @@ LANGUAGE plperlu
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_[0]));
+ return scalar(keys %{$_[0]});
+ $$;
+@@ -38,6 +40,7 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_[0]));
+ return scalar(keys %{$_[0]});
+ $$;
+@@ -52,6 +55,7 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_[0]->[0], $_[0]->[1]));
+ return scalar(keys %{$_[0]});
+ $$;
+@@ -66,6 +70,7 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ 
+ $rv = spi_exec_query(q{SELECT 'aa=>bb, cc=>NULL'::hstore AS col1});
+ elog(INFO, Dumper($rv->{rows}[0]->{col1}));
+@@ -90,6 +95,7 @@ TRANSFORM FOR TYPE hstore
+ AS $$
+ use Data::Dumper;
+ $Data::Dumper::Sortkeys = 1;
++$Data::Dumper::Indent = 0;
+ elog(INFO, Dumper($_TD->{new}));
+ if ($_TD->{new}{a} == 1) {
+     $_TD->{new}{b} = {a => 1, b => 'boo', c => undef};
+-- 
+2.1.4

postgresql-CVE-2024-0985.patch

@@ -0,0 +1,59 @@
+Backport of the upstream commit:
+https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2699fc035a75d0774c1f013e9320882287f78adb
+
+Fix CVE-2023-5869
+
+diff -ur postgresql-10.23/src/backend/commands/matview.c postgresql-10.23_patch/src/backend/commands/matview.c
+--- postgresql-10.23/src/backend/commands/matview.c	2022-11-07 22:51:10.000000000 +0100
++++ postgresql-10.23_patch/src/backend/commands/matview.c	2024-02-12 21:22:57.000000000 +0100
+@@ -646,14 +646,35 @@
+ 				 errdetail("Row: %s",
+ 						   SPI_getvalue(SPI_tuptable->vals[0], SPI_tuptable->tupdesc, 1))));
+ 	}
+-
++	/*
++	 * Create the temporary "diff" table.
++	 *
++	 * Temporarily switch out of the SECURITY_RESTRICTED_OPERATION context,
++	 * because you cannot create temp tables in SRO context.  For extra
++	 * paranoia, add the composite type column only after switching back to
++	 * SRO context.
++	 */
+ 	SetUserIdAndSecContext(relowner,
+ 						   save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
++	resetStringInfo(&querybuf);
++	appendStringInfo(&querybuf,
++					 "CREATE TEMP TABLE %s (tid pg_catalog.tid)",
++					 diffname);
++	if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
++		elog(ERROR, "SPI_exec failed: %s", querybuf.data);
++	SetUserIdAndSecContext(relowner,
++						   save_sec_context | SECURITY_RESTRICTED_OPERATION);
++	resetStringInfo(&querybuf);
++	appendStringInfo(&querybuf,
++					 "ALTER TABLE %s ADD COLUMN newdata %s",
++					 diffname, tempname);
++	if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
++		elog(ERROR, "SPI_exec failed: %s", querybuf.data);
+ 
+ 	/* Start building the query for creating the diff table. */
+ 	resetStringInfo(&querybuf);
+ 	appendStringInfo(&querybuf,
+-					 "CREATE TEMP TABLE %s AS "
++					 "INSERT INTO %s "
+ 					 "SELECT mv.ctid AS tid, newdata.*::%s AS newdata "
+ 					 "FROM %s mv FULL JOIN %s newdata ON (",
+ 					 diffname, tempname, matviewname, tempname);
+@@ -783,11 +804,9 @@
+ 						   "ORDER BY tid");
+ 
+ 	/* Create the temporary "diff" table. */
+-	if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
++	if (SPI_exec(querybuf.data, 0) != SPI_OK_INSERT)
+ 		elog(ERROR, "SPI_exec failed: %s", querybuf.data);
+ 
+-	SetUserIdAndSecContext(relowner,
+-						   save_sec_context | SECURITY_RESTRICTED_OPERATION);
+ 
+ 	/*
+ 	 * We have no further use for data from the "full-data" temp table, but we

postgresql-array-overflow.patch

@@ -1,8 +1,7 @@
-From d267cea24ea346c739c85bf7bccbd8e8f59da6b3 Mon Sep 17 00:00:00 2001
+From c48008f599fd0e3bca2923ff5b40b559ae1e4e2e Mon Sep 17 00:00:00 2001
 From: Tom Lane <tgl@sss.pgh.pa.us>
 Date: Mon, 6 Nov 2023 10:56:43 -0500
-Subject: [PATCH 1/1] Detect integer overflow while computing new array
- dimensions.
+Subject: [PATCH] Detect integer overflow while computing new array dimensions.
 
 array_set_element() and related functions allow an array to be
 enlarged by assigning to subscripts outside the current array bounds.
@@ -27,17 +26,13 @@ lacks that parameter, so omit the tests in that branch.
 Our thanks to Pedro Gallegos for reporting this problem.
 
 Security: CVE-2023-5869
-Sign-Off-By: Tianyue Lan <tianyue.lan@oracle.com>
-
 ---
- src/backend/utils/adt/arrayfuncs.c   | 85 ++++++++++++++++++++++------
- src/backend/utils/adt/arrayutils.c   |  6 --
- src/include/utils/array.h            |  7 +++
- src/test/regress/expected/arrays.out | 17 ++++++
- src/test/regress/sql/arrays.sql      | 19 +++++++
- src/include/common/int.h | 273 +++++++++++++++++++++++++++++++++++++++
+ src/backend/utils/adt/arrayfuncs.c | 85 +++++++++++++++++++++++-------
+ src/backend/utils/adt/arrayutils.c |  6 ---
+ src/include/common/int.h           | 69 ++++++++++++++++++++++++
+ src/include/utils/array.h          |  6 +++
+ 4 files changed, 142 insertions(+), 24 deletions(-)
  create mode 100644 src/include/common/int.h
- 6 files changed, 383 insertions(+), 24 deletions(-)
 
 diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c
 index 553c517..7363893 100644
@@ -215,89 +210,12 @@ index f7c6a51..eb5f2a0 100644
  	if (ndim <= 0)
  		return 0;
  	ret = 1;
-diff --git a/src/include/utils/array.h b/src/include/utils/array.h
-index 905f6b0..3e4c09d 100644
---- a/src/include/utils/array.h
-+++ b/src/include/utils/array.h
-@@ -65,6 +65,13 @@
- #include "utils/expandeddatum.h"
- 
- 
-+/*
-+ * Maximum number of elements in an array.  We limit this to at most about a
-+ * quarter billion elements, so that it's not necessary to check for overflow
-+ * in quite so many places --- for instance when palloc'ing Datum arrays.
-+ */
-+#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
-+
- /*
-  * Arrays are varlena objects, so must meet the varlena convention that
-  * the first int32 of the object contains the total object size in bytes.
-diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out
-index c730563..e4ec394 100644
---- a/src/test/regress/expected/arrays.out
-+++ b/src/test/regress/expected/arrays.out
-@@ -1347,6 +1347,23 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
- -- then you didn't get an indexscan plan, and something is busted.
- reset enable_seqscan;
- reset enable_bitmapscan;
-+-- test subscript overflow detection
-+-- The normal error message includes a platform-dependent limit,
-+-- so suppress it to avoid needing multiple expected-files.
-+\set VERBOSITY terse
-+insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
-+update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
-+ERROR:  array size exceeds the maximum allowed (134217727)
-+update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
-+ERROR:  array size exceeds the maximum allowed (134217727)
-+-- also exercise the expanded-array case
-+do $$ declare a int[];
-+begin
-+  a := '[-2147483648:-2147483647]={1,2}'::int[];
-+  a[2147483647] := 42;
-+end $$;
-+ERROR:  array size exceeds the maximum allowed (134217727)
-+\set VERBOSITY default
- -- test [not] (like|ilike) (any|all) (...)
- select 'foo' like any (array['%a', '%o']); -- t
-  ?column? 
-diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql
-index 25dd4e2..4ad6e55 100644
---- a/src/test/regress/sql/arrays.sql
-+++ b/src/test/regress/sql/arrays.sql
-@@ -407,6 +407,25 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
- reset enable_seqscan;
- reset enable_bitmapscan;
- 
-+-- test subscript overflow detection
-+
-+-- The normal error message includes a platform-dependent limit,
-+-- so suppress it to avoid needing multiple expected-files.
-+\set VERBOSITY terse
-+
-+insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
-+update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
-+update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
-+
-+-- also exercise the expanded-array case
-+do $$ declare a int[];
-+begin
-+  a := '[-2147483648:-2147483647]={1,2}'::int[];
-+  a[2147483647] := 42;
-+end $$;
-+
-+\set VERBOSITY default
-+
- -- test [not] (like|ilike) (any|all) (...)
- select 'foo' like any (array['%a', '%o']); -- t
- select 'foo' like any (array['%a', '%b']); -- f
-
 diff --git a/src/include/common/int.h b/src/include/common/int.h
 new file mode 100644
-index 0000000..d754798
+index 0000000..4235586
 --- /dev/null
 +++ b/src/include/common/int.h
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,69 @@
 +/*-------------------------------------------------------------------------
 + *
 + * int.h
@@ -311,7 +229,7 @@ index 0000000..d754798
 + * the 64 bit cases can be considerably faster with intrinsics. In case no
 + * intrinsics are available 128 bit math is used where available.
 + *
-+ * Copyright (c) 2017-2019, PostgreSQL Global Development Group
++ * Copyright (c) 2017-2018, PostgreSQL Global Development Group
 + *
 + * src/include/common/int.h
 + *
@@ -326,75 +244,6 @@ index 0000000..d754798
 + * overflow.
 + */
 +static inline bool
-+pg_add_s16_overflow(int16 a, int16 b, int16 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_add_overflow(a, b, result);
-+#else
-+	int32		res = (int32) a + (int32) b;
-+
-+	if (res > PG_INT16_MAX || res < PG_INT16_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int16) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a - b overflows, return true, otherwise store the result of a - b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_sub_s16_overflow(int16 a, int16 b, int16 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_sub_overflow(a, b, result);
-+#else
-+	int32		res = (int32) a - (int32) b;
-+
-+	if (res > PG_INT16_MAX || res < PG_INT16_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int16) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a * b overflows, return true, otherwise store the result of a * b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_mul_s16_overflow(int16 a, int16 b, int16 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_mul_overflow(a, b, result);
-+#else
-+	int32		res = (int32) a * (int32) b;
-+
-+	if (res > PG_INT16_MAX || res < PG_INT16_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int16) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a + b overflows, return true, otherwise store the result of a + b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
 +pg_add_s32_overflow(int32 a, int32 b, int32 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
@@ -435,142 +284,23 @@ index 0000000..d754798
 +#endif
 +}
 +
-+/*
-+ * If a * b overflows, return true, otherwise store the result of a * b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_mul_s32_overflow(int32 a, int32 b, int32 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_mul_overflow(a, b, result);
-+#else
-+	int64		res = (int64) a * (int64) b;
-+
-+	if (res > PG_INT32_MAX || res < PG_INT32_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int32) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a + b overflows, return true, otherwise store the result of a + b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_add_s64_overflow(int64 a, int64 b, int64 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_add_overflow(a, b, result);
-+#elif defined(HAVE_INT128)
-+	int128		res = (int128) a + (int128) b;
-+
-+	if (res > PG_INT64_MAX || res < PG_INT64_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int64) res;
-+	return false;
-+#else
-+	if ((a > 0 && b > 0 && a > PG_INT64_MAX - b) ||
-+		(a < 0 && b < 0 && a < PG_INT64_MIN - b))
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = a + b;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a - b overflows, return true, otherwise store the result of a - b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_sub_s64_overflow(int64 a, int64 b, int64 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_sub_overflow(a, b, result);
-+#elif defined(HAVE_INT128)
-+	int128		res = (int128) a - (int128) b;
-+
-+	if (res > PG_INT64_MAX || res < PG_INT64_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int64) res;
-+	return false;
-+#else
-+	if ((a < 0 && b > 0 && a < PG_INT64_MIN + b) ||
-+		(a > 0 && b < 0 && a > PG_INT64_MAX + b))
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = a - b;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a * b overflows, return true, otherwise store the result of a * b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_mul_s64_overflow(int64 a, int64 b, int64 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_mul_overflow(a, b, result);
-+#elif defined(HAVE_INT128)
-+	int128		res = (int128) a * (int128) b;
-+
-+	if (res > PG_INT64_MAX || res < PG_INT64_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int64) res;
-+	return false;
-+#else
-+	/*
-+	 * Overflow can only happen if at least one value is outside the range
-+	 * sqrt(min)..sqrt(max) so check that first as the division can be quite a
-+	 * bit more expensive than the multiplication.
-+	 *
-+	 * Multiplying by 0 or 1 can't overflow of course and checking for 0
-+	 * separately avoids any risk of dividing by 0.  Be careful about dividing
-+	 * INT_MIN by -1 also, note reversing the a and b to ensure we're always
-+	 * dividing it by a positive value.
-+	 *
-+	 */
-+	if ((a > PG_INT32_MAX || a < PG_INT32_MIN ||
-+		 b > PG_INT32_MAX || b < PG_INT32_MIN) &&
-+		a != 0 && a != 1 && b != 0 && b != 1 &&
-+		((a > 0 && b > 0 && a > PG_INT64_MAX / b) ||
-+		 (a > 0 && b < 0 && b < PG_INT64_MIN / a) ||
-+		 (a < 0 && b > 0 && a < PG_INT64_MIN / b) ||
-+		 (a < 0 && b < 0 && a < PG_INT64_MAX / b)))
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = a * b;
-+	return false;
-+#endif
-+}
-+
 +#endif							/* COMMON_INT_H */
+diff --git a/src/include/utils/array.h b/src/include/utils/array.h
+index 905f6b0..2d96834 100644
+--- a/src/include/utils/array.h
++++ b/src/include/utils/array.h
+@@ -64,6 +64,12 @@
+ #include "fmgr.h"
+ #include "utils/expandeddatum.h"
+ 
++/*
++ * Maximum number of elements in an array.  We limit this to at most about a
++ * quarter billion elements, so that it's not necessary to check for overflow
++ * in quite so many places --- for instance when palloc'ing Datum arrays.
++ */
++#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
+ 
+ /*
+  * Arrays are varlena objects, so must meet the varlena convention that
 -- 
-2.39.3
-
+2.43.0

postgresql.spec

@@ -59,7 +59,7 @@ Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 10
 Version: %{majorversion}.23
-Release: 3%{?dist}
+Release: 4%{?dist}
 
 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@@ -110,7 +110,9 @@ Patch9: postgresql-server-pg_config.patch
 Patch10: postgresql-10.15-contrib-dblink-expected-out.patch
 Patch11: postgresql-10.23-CVE-2023-2454.patch
 Patch12: postgresql-10.23-CVE-2023-2455.patch
-Patch13: postgresql-10.23-CVE-2023-5869.patch
+# Fixes CVE-2023-5869
+Patch13: postgresql-array-overflow.patch
+Patch14: postgresql-CVE-2024-0985.patch
 
 BuildRequires: gcc
 BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
@@ -373,6 +375,7 @@ benchmarks.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.
@@ -1177,11 +1180,12 @@ make -C postgresql-setup-%{setup_version} check
 
 
 %changelog
-* Mon Dec 18 2023 Lubos Kloucek <lubos.kloucek@oracle.com> - 10.23-3
-- Resolves: CVE-2023-5869
+* Mon Feb 12 2024 Filip Janus <fjanus@redhat.cmo> - 10.23-4
+- Fix CVE-2024-0985
+- backport upstream commit
 
-* Tue Aug 08 2023 David Sloboda <david.x.sloboda@oracle.com> - 10.23-2.0.1
-- Fixed postgresql port binding issue during bootup [Orabug: 35103668]
+* Fri Dec 01 2023 Dominik Rehák <drehak@redhat.com> - 10.23-3
+- Fix: CVE-2023-5869
 
 * Wed Jul 19 2023 Dominik Rehák <drehak@redhat.com> - 10.23-2
 - Backport fixes for CVE-2023-2454 and CVE-2023-2455

sources

@@ -0,0 +1,6 @@
+SHA512 (postgresql-10.23.tar.bz2) = 9fd031cad0c3caacae105215167abd5dc4fdd15dea77a12cb0a977fab6e245e3fda163f202cc7786e50c69e5c3f180d32676a3b18ea30a9a14f0bcab56aa19dd
+SHA512 (postgresql-10.23.tar.bz2.sha256) = 1b8f25bb914b9c87679ff688625889a96f2e0e836a9fd0f19dcdf4e74798d96980cb09cb485cff7069b9fe6b9d5c03e162eac9d0ecb205e8e3f0d83358f641d2
+SHA512 (postgresql-9.2.24.tar.bz2) = a6f043e5ef5e12e23c1c43b26a5ecafce62f3a86f38b5b85e7cb0cb7aa376d40e460a526baf67ae40de40525e4744fb5e48650ee5e007db4ce9742fcf548bd56
+SHA512 (postgresql-9.2.24.tar.bz2.sha256) = 04e5ce7b8a4f8ef281cd3f59e18f41974356e92775c459de61383ba6254d84cb21a7d3a3506ec5416fc3e5090535d5961d9cc7cbe04591217aa9b9e142418170
+SHA512 (postgresql-setup-8.7.tar.gz) = 741f036be517e7d9725e4f146ca7dac8b8a16b6a93d045a64ef268487f48faad6b08317b58e07ad16a31002d2a10de0ac32513a4935c3f22f48ec768a742d1fc
+SHA512 (postgresql-10.23-US.pdf) = 561a7a0ebe539e7f4d7dff890fa14ac0d61e3e5a1a96b99304208208460d9d4d037e2d74766ae071ecbf3ecb22cee24b06b73226c4eafb5c5bb51896cbf441eb