NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commita89781e

committed

Fix possible internal overflow in numeric multiplication.

mul_var() postpones propagating carries until it risks overflow in itsinternal digit array. However, the logic failed to account for thepossibility of overflow in the carry propagation step, allowing wrongresults to be generated in corner cases. We must slightly reduce thewhen-to-propagate-carries threshold to avoid that.Discovered and fixed by Dean Rasheed, with small adjustments by me.This has been wrong since commitd72f6c7,so back-patch to all supported branches.

1 parent24aed21 commita89781eCopy full SHA for a89781e

File tree

3 files changed

+49

-4

lines changed

src
- backend/utils/adt
  - numeric.c
- test/regress
  - expected
    - numeric.out
  - sql
    - numeric.sql

3 files changed

+49

-4

lines changed

`‎src/backend/utils/adt/numeric.c`

Lines changed: 10 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -4191,9 +4191,15 @@ mul_var(NumericVar var1, NumericVar var2, NumericVar *result,`
`4191`	`4191`	`* to avoid normalizing carries immediately.`
`4192`	`4192`	`*`
`4193`	`4193`	`* maxdig tracks the maximum possible value of any dig[] entry; when this`
`4194`		`- * threatens to exceed INT_MAX, we take the time to propagate carries. To`
`4195`		`- * avoid overflow in maxdig itself, it actually represents the max`
`4196`		`- * possible value divided by NBASE-1.`
	`4194`	`+ * threatens to exceed INT_MAX, we take the time to propagate carries.`
	`4195`	`+ * Furthermore, we need to ensure that overflow doesn't occur during the`
	`4196`	`+ * carry propagation passes either. The carry values could be as much as`
	`4197`	`+ * INT_MAX/NBASE, so really we must normalize when digits threaten to`
	`4198`	`+ * exceed INT_MAX - INT_MAX/NBASE.`
	`4199`	`+ *`
	`4200`	`+ * To avoid overflow in maxdig itself, it actually represents the max`
	`4201`	`+ * possible value divided by NBASE-1, ie, at the top of the loop it is`
	`4202`	`+ * known that no dig[] entry exceeds maxdig * (NBASE-1).`
`4197`	`4203`	`*/`
`4198`	`4204`	`dig= (int)palloc0(res_ndigitssizeof(int));`
`4199`	`4205`	`maxdig=0;`
`@@ -4208,7 +4214,7 @@ mul_var(NumericVar var1, NumericVar var2, NumericVar *result,`
`4208`	`4214`
`4209`	`4215`	`/* Time to normalize? */`
`4210`	`4216`	`maxdig+=var1digit;`
`4211`		`-if (maxdig>INT_MAX / (NBASE-1))`
	`4217`	`+if (maxdig>(INT_MAX-INT_MAX /NBASE) / (NBASE-1))`
`4212`	`4218`	`{`
`4213`	`4219`	`/* Yes, do it */`
`4214`	`4220`	`carry=0;`

`‎src/test/regress/expected/numeric.out`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1309,6 +1309,33 @@ SELECT * FROM num_input_test;`
`1309`	`1309`	`NaN`
`1310`	`1310`	`(7 rows)`
`1311`	`1311`
	`1312`	`+--`
	`1313`	`+-- Test some corner cases for multiplication`
	`1314`	`+--`
	`1315`	`+select 4790999999999999999999999999999999999999999999999999999999999999999999999999999999999999 * 9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999;`
	`1316`	`+ ?column?`
	`1317`	`+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------`
	`1318`	`+ 47909999999999999999999999999999999999999999999999999999999999999999999999999999999999985209000000000000000000000000000000000000000000000000000000000000000000000000000000000001`
	`1319`	`+(1 row)`
	`1320`	`+`
	`1321`	`+select 4789999999999999999999999999999999999999999999999999999999999999999999999999999999999999 * 9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999;`
	`1322`	`+ ?column?`
	`1323`	`+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------`
	`1324`	`+ 47899999999999999999999999999999999999999999999999999999999999999999999999999999999999985210000000000000000000000000000000000000000000000000000000000000000000000000000000000001`
	`1325`	`+(1 row)`
	`1326`	`+`
	`1327`	`+select 4770999999999999999999999999999999999999999999999999999999999999999999999999999999999999 * 9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999;`
	`1328`	`+ ?column?`
	`1329`	`+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------`
	`1330`	`+ 47709999999999999999999999999999999999999999999999999999999999999999999999999999999999985229000000000000000000000000000000000000000000000000000000000000000000000000000000000001`
	`1331`	`+(1 row)`
	`1332`	`+`
	`1333`	`+select 4769999999999999999999999999999999999999999999999999999999999999999999999999999999999999 * 9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999;`
	`1334`	`+ ?column?`
	`1335`	`+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------`
	`1336`	`+ 47699999999999999999999999999999999999999999999999999999999999999999999999999999999999985230000000000000000000000000000000000000000000000000000000000000000000000000000000000001`
	`1337`	`+(1 row)`
	`1338`	`+`
`1312`	`1339`	`--`
`1313`	`1340`	`-- Test some corner cases for division`
`1314`	`1341`	`--`

`‎src/test/regress/sql/numeric.sql`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -811,6 +811,18 @@ INSERT INTO num_input_test(n1) VALUES (' N aN ');`
`811`	`811`
`812`	`812`	`SELECT*FROM num_input_test;`
`813`	`813`
	`814`	`+--`
	`815`	`+-- Test some corner cases for multiplication`
	`816`	`+--`
	`817`	`+`
	`818`	`+select4790999999999999999999999999999999999999999999999999999999999999999999999999999999999999*9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999;`
	`819`	`+`
	`820`	`+select4789999999999999999999999999999999999999999999999999999999999999999999999999999999999999*9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999;`
	`821`	`+`
	`822`	`+select4770999999999999999999999999999999999999999999999999999999999999999999999999999999999999*9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999;`
	`823`	`+`
	`824`	`+select4769999999999999999999999999999999999999999999999999999999999999999999999999999999999999*9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999;`
	`825`	`+`
`814`	`826`	`--`
`815`	`827`	`-- Test some corner cases for division`
`816`	`828`	`--`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita89781e

File tree

3 files changed

3 files changed

`‎src/backend/utils/adt/numeric.c`

`‎src/test/regress/expected/numeric.out`

`‎src/test/regress/sql/numeric.sql`

0 commit comments