NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit6c1b71b

committed

Detect integer overflow in array_set_slice().

When provided an empty initial array, array_set_slice() fails tocheck for overflow when computing the new array's dimensions.While such overflows are ordinarily caught by ArrayGetNItems(),commands with the following form are accepted:INSERT INTO t (i[-2147483648:2147483647]) VALUES ('{}');To fix, perform the hazardous computations using overflow-detectingarithmetic routines. As with commit18b5851, the added testcases generate errors that include a platform-dependent value, sowe again use psql's VERBOSITY parameter to suppress printing themessage text.Reported-by: Alexander LakhinAuthor: Joseph KoshakowReviewed-by: Jian HeDiscussion:https://postgr.es/m/31ad2cd1-db94-bdb3-f91a-65ffdb4bef95%40gmail.comBackpatch-through: 12

1 parent78ff6e0 commit6c1b71bCopy full SHA for 6c1b71b

File tree

3 files changed

+14

-1

lines changed

src
- backend/utils/adt
  - arrayfuncs.c
- test/regress
  - expected
    - arrays.out
  - sql
    - arrays.sql

3 files changed

+14

-1

lines changed

`‎src/backend/utils/adt/arrayfuncs.c`

Lines changed: 8 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2872,7 +2872,14 @@ array_set_slice(Datum arraydatum,`
`2872`	`2872`	`errdetail("When assigning to a slice of an empty array value,"`
`2873`	`2873`	`" slice boundaries must be fully specified.")));`
`2874`	`2874`
`2875`		`-dim[i]=1+upperIndx[i]-lowerIndx[i];`
	`2875`	`+/* compute "upperIndx[i] - lowerIndx[i] + 1", detecting overflow */`
	`2876`	`+if (pg_sub_s32_overflow(upperIndx[i],lowerIndx[i],&dim[i])\|\|`
	`2877`	`+pg_add_s32_overflow(dim[i],1,&dim[i]))`
	`2878`	`+ereport(ERROR,`
	`2879`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`2880`	`+errmsg("array size exceeds the maximum allowed (%d)",`
	`2881`	`+(int)MaxArraySize)));`
	`2882`	`+`
`2876`	`2883`	`lb[i]=lowerIndx[i];`
`2877`	`2884`	`}`
`2878`	`2885`

`‎src/test/regress/expected/arrays.out`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1368,6 +1368,10 @@ update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;`
`1368`	`1368`	`ERROR: 54000`
`1369`	`1369`	`update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;`
`1370`	`1370`	`ERROR: 54000`
	`1371`	`+insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}');`
	`1372`	`+ERROR: 54000`
	`1373`	`+insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}');`
	`1374`	`+ERROR: 54000`
`1371`	`1375`	`-- also exercise the expanded-array case`
`1372`	`1376`	`do $$ declare a int[];`
`1373`	`1377`	`begin`

`‎src/test/regress/sql/arrays.sql`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -418,6 +418,8 @@ reset enable_bitmapscan;`
`418`	`418`	`insert into arr_pk_tblvalues(10,'[-2147483648:-2147483647]={1,2}');`
`419`	`419`	`update arr_pk_tblset f1[2147483647]=42where pk=10;`
`420`	`420`	`update arr_pk_tblset f1[2147483646:2147483647]= array[4,2]where pk=10;`
	`421`	`+insert into arr_pk_tbl(pk, f1[0:2147483647])values (2,'{}');`
	`422`	`+insert into arr_pk_tbl(pk, f1[-2147483648:2147483647])values (2,'{}');`
`421`	`423`
`422`	`424`	`-- also exercise the expanded-array case`
`423`	`425`	`do $$ declare aint[];`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6c1b71b

File tree

3 files changed

3 files changed

`‎src/backend/utils/adt/arrayfuncs.c`

`‎src/test/regress/expected/arrays.out`

`‎src/test/regress/sql/arrays.sql`

0 commit comments