Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit6c1b71b

Browse files
Detect integer overflow in array_set_slice().
When provided an empty initial array, array_set_slice() fails tocheck for overflow when computing the new array's dimensions.While such overflows are ordinarily caught by ArrayGetNItems(),commands with the following form are accepted:INSERT INTO t (i[-2147483648:2147483647]) VALUES ('{}');To fix, perform the hazardous computations using overflow-detectingarithmetic routines. As with commit18b5851, the added testcases generate errors that include a platform-dependent value, sowe again use psql's VERBOSITY parameter to suppress printing themessage text.Reported-by: Alexander LakhinAuthor: Joseph KoshakowReviewed-by: Jian HeDiscussion:https://postgr.es/m/31ad2cd1-db94-bdb3-f91a-65ffdb4bef95%40gmail.comBackpatch-through: 12
1 parent78ff6e0 commit6c1b71b

File tree

3 files changed

+14
-1
lines changed

3 files changed

+14
-1
lines changed

‎src/backend/utils/adt/arrayfuncs.c‎

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2872,7 +2872,14 @@ array_set_slice(Datum arraydatum,
28722872
errdetail("When assigning to a slice of an empty array value,"
28732873
" slice boundaries must be fully specified.")));
28742874

2875-
dim[i]=1+upperIndx[i]-lowerIndx[i];
2875+
/* compute "upperIndx[i] - lowerIndx[i] + 1", detecting overflow */
2876+
if (pg_sub_s32_overflow(upperIndx[i],lowerIndx[i],&dim[i])||
2877+
pg_add_s32_overflow(dim[i],1,&dim[i]))
2878+
ereport(ERROR,
2879+
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
2880+
errmsg("array size exceeds the maximum allowed (%d)",
2881+
(int)MaxArraySize)));
2882+
28762883
lb[i]=lowerIndx[i];
28772884
}
28782885

‎src/test/regress/expected/arrays.out‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1368,6 +1368,10 @@ update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
13681368
ERROR: 54000
13691369
update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
13701370
ERROR: 54000
1371+
insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}');
1372+
ERROR: 54000
1373+
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}');
1374+
ERROR: 54000
13711375
-- also exercise the expanded-array case
13721376
do $$ declare a int[];
13731377
begin

‎src/test/regress/sql/arrays.sql‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -418,6 +418,8 @@ reset enable_bitmapscan;
418418
insert into arr_pk_tblvalues(10,'[-2147483648:-2147483647]={1,2}');
419419
update arr_pk_tblset f1[2147483647]=42where pk=10;
420420
update arr_pk_tblset f1[2147483646:2147483647]= array[4,2]where pk=10;
421+
insert into arr_pk_tbl(pk, f1[0:2147483647])values (2,'{}');
422+
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647])values (2,'{}');
421423

422424
-- also exercise the expanded-array case
423425
do $$ declare aint[];

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp