Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit547dd2c

Browse files
Detect integer overflow in array_set_slice().
When provided an empty initial array, array_set_slice() fails tocheck for overflow when computing the new array's dimensions.While such overflows are ordinarily caught by ArrayGetNItems(),commands with the following form are accepted:INSERT INTO t (i[-2147483648:2147483647]) VALUES ('{}');To fix, perform the hazardous computations using overflow-detectingarithmetic routines. As with commit18b5851, the added testcases generate errors that include a platform-dependent value, sowe again use psql's VERBOSITY parameter to suppress printing themessage text.Reported-by: Alexander LakhinAuthor: Joseph KoshakowReviewed-by: Jian HeDiscussion:https://postgr.es/m/31ad2cd1-db94-bdb3-f91a-65ffdb4bef95%40gmail.comBackpatch-through: 12
1 parent9aa644f commit547dd2c

File tree

3 files changed

+14
-1
lines changed

3 files changed

+14
-1
lines changed

‎src/backend/utils/adt/arrayfuncs.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2899,7 +2899,14 @@ array_set_slice(Datum arraydatum,
28992899
errdetail("When assigning to a slice of an empty array value,"
29002900
" slice boundaries must be fully specified.")));
29012901

2902-
dim[i]=1+upperIndx[i]-lowerIndx[i];
2902+
/* compute "upperIndx[i] - lowerIndx[i] + 1", detecting overflow */
2903+
if (pg_sub_s32_overflow(upperIndx[i],lowerIndx[i],&dim[i])||
2904+
pg_add_s32_overflow(dim[i],1,&dim[i]))
2905+
ereport(ERROR,
2906+
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
2907+
errmsg("array size exceeds the maximum allowed (%d)",
2908+
(int)MaxArraySize)));
2909+
29032910
lb[i]=lowerIndx[i];
29042911
}
29052912

‎src/test/regress/expected/arrays.out

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1402,6 +1402,10 @@ update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
14021402
ERROR: 54000
14031403
update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
14041404
ERROR: 54000
1405+
insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}');
1406+
ERROR: 54000
1407+
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}');
1408+
ERROR: 54000
14051409
-- also exercise the expanded-array case
14061410
do $$ declare a int[];
14071411
begin

‎src/test/regress/sql/arrays.sql

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -441,6 +441,8 @@ reset enable_bitmapscan;
441441
insert into arr_pk_tblvalues(10,'[-2147483648:-2147483647]={1,2}');
442442
update arr_pk_tblset f1[2147483647]=42where pk=10;
443443
update arr_pk_tblset f1[2147483646:2147483647]= array[4,2]where pk=10;
444+
insert into arr_pk_tbl(pk, f1[0:2147483647])values (2,'{}');
445+
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647])values (2,'{}');
444446

445447
-- also exercise the expanded-array case
446448
do $$ declare aint[];

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp