Index: src/backend/utils/adt/geo_ops.c
===================================================================
RCS file: /var/lib/cvs/pgsql-server/src/backend/utils/adt/geo_ops.c,v
retrieving revision 1.63
diff -c -r1.63 geo_ops.c
*** src/backend/utils/adt/geo_ops.c	16 Jul 2002 03:30:27 -0000	1.63
--- src/backend/utils/adt/geo_ops.c	28 Aug 2002 19:07:01 -0000
***************
*** 269,279 ****
  static char *
  path_encode(bool closed, int npts, Point *pt)
  {
! 	char	   *result = palloc(npts * (P_MAXLEN + 3) + 2);
! 
  	char	   *cp;
  	int			i;
  
  	cp = result;
  	switch (closed)
  	{
--- 269,285 ----
  static char *
  path_encode(bool closed, int npts, Point *pt)
  {
! 	int			size = npts * (P_MAXLEN + 3) + 2;
! 	char	   *result;
  	char	   *cp;
  	int			i;
  
+ 	/* Check for integer overflow */
+ 	if ((size - 2) / npts != (P_MAXLEN + 3))
+ 		elog(ERROR, "Too many points requested");
+ 
+ 	result = palloc(size);
+ 
  	cp = result;
  	switch (closed)
  	{
***************
*** 1230,1236 ****
  		depth++;
  	}
  
! 	size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts;
  	path = (PATH *) palloc(size);
  
  	path->size = size;
--- 1236,1242 ----
  		depth++;
  	}
  
! 	size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts;
  	path = (PATH *) palloc(size);
  
  	path->size = size;
***************
*** 3596,3608 ****
  	PATH	   *p1 = PG_GETARG_PATH_P(0);
  	PATH	   *p2 = PG_GETARG_PATH_P(1);
  	PATH	   *result;
! 	int			size;
  	int			i;
  
  	if (p1->closed || p2->closed)
  		PG_RETURN_NULL();
  
! 	size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts);
  	result = (PATH *) palloc(size);
  
  	result->size = size;
--- 3602,3622 ----
  	PATH	   *p1 = PG_GETARG_PATH_P(0);
  	PATH	   *p2 = PG_GETARG_PATH_P(1);
  	PATH	   *result;
! 	int			size,
! 				base_size;
  	int			i;
  
  	if (p1->closed || p2->closed)
  		PG_RETURN_NULL();
  
! 	base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts);
! 	size = offsetof(PATH, p[0]) + base_size;
! 
! 	/* Check for integer overflow */
! 	if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) ||
! 		size <= base_size)
! 		elog(ERROR, "too many points requested.");
! 
  	result = (PATH *) palloc(size);
  
  	result->size = size;
***************
*** 4413,4429 ****
  	int32		npts = PG_GETARG_INT32(0);
  	CIRCLE	   *circle = PG_GETARG_CIRCLE_P(1);
  	POLYGON    *poly;
! 	int			size;
  	int			i;
  	double		angle;
  
  	if (FPzero(circle->radius) || (npts < 2))
  		elog(ERROR, "Unable to convert circle to polygon");
  
! 	size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts);
  	poly = (POLYGON *) palloc(size);
  
! 	MemSet((char *) poly, 0, size);		/* zero any holes */
  	poly->size = size;
  	poly->npts = npts;
  
--- 4427,4450 ----
  	int32		npts = PG_GETARG_INT32(0);
  	CIRCLE	   *circle = PG_GETARG_CIRCLE_P(1);
  	POLYGON    *poly;
! 	int			base_size,
! 				size;
  	int			i;
  	double		angle;
  
  	if (FPzero(circle->radius) || (npts < 2))
  		elog(ERROR, "Unable to convert circle to polygon");
  
! 	base_size = sizeof(poly->p[0]) * npts;
! 	size = offsetof(POLYGON, p[0]) + base_size;
! 
! 	/* Check for integer overflow */
! 	if (base_size / npts != sizeof(poly->p[0]) || size <= base_size)
! 		elog(ERROR, "too many points requested");
! 
  	poly = (POLYGON *) palloc(size);
  
! 	MemSet(poly, 0, size);		/* zero any holes */
  	poly->size = size;
  	poly->npts = npts;