Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit991f8cf

Browse files
Detect integer overflow in array_set_slice().
When provided an empty initial array, array_set_slice() fails tocheck for overflow when computing the new array's dimensions.While such overflows are ordinarily caught by ArrayGetNItems(),commands with the following form are accepted:INSERT INTO t (i[-2147483648:2147483647]) VALUES ('{}');To fix, perform the hazardous computations using overflow-detectingarithmetic routines. As with commit18b5851, the added testcases generate errors that include a platform-dependent value, sowe again use psql's VERBOSITY parameter to suppress printing themessage text.Reported-by: Alexander LakhinAuthor: Joseph KoshakowReviewed-by: Jian HeDiscussion:https://postgr.es/m/31ad2cd1-db94-bdb3-f91a-65ffdb4bef95%40gmail.comBackpatch-through: 12
1 parentd3cc5ff commit991f8cf

File tree

3 files changed

+14
-1
lines changed

3 files changed

+14
-1
lines changed

‎src/backend/utils/adt/arrayfuncs.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2887,7 +2887,14 @@ array_set_slice(Datum arraydatum,
28872887
errdetail("When assigning to a slice of an empty array value,"
28882888
" slice boundaries must be fully specified.")));
28892889

2890-
dim[i]=1+upperIndx[i]-lowerIndx[i];
2890+
/* compute "upperIndx[i] - lowerIndx[i] + 1", detecting overflow */
2891+
if (pg_sub_s32_overflow(upperIndx[i],lowerIndx[i],&dim[i])||
2892+
pg_add_s32_overflow(dim[i],1,&dim[i]))
2893+
ereport(ERROR,
2894+
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
2895+
errmsg("array size exceeds the maximum allowed (%d)",
2896+
(int)MaxArraySize)));
2897+
28912898
lb[i]=lowerIndx[i];
28922899
}
28932900

‎src/test/regress/expected/arrays.out

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1427,6 +1427,10 @@ update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
14271427
ERROR: 54000
14281428
update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
14291429
ERROR: 54000
1430+
insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}');
1431+
ERROR: 54000
1432+
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}');
1433+
ERROR: 54000
14301434
-- also exercise the expanded-array case
14311435
do $$ declare a int[];
14321436
begin

‎src/test/regress/sql/arrays.sql

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -447,6 +447,8 @@ reset enable_bitmapscan;
447447
insert into arr_pk_tblvalues(10,'[-2147483648:-2147483647]={1,2}');
448448
update arr_pk_tblset f1[2147483647]=42where pk=10;
449449
update arr_pk_tblset f1[2147483646:2147483647]= array[4,2]where pk=10;
450+
insert into arr_pk_tbl(pk, f1[0:2147483647])values (2,'{}');
451+
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647])values (2,'{}');
450452

451453
-- also exercise the expanded-array case
452454
do $$ declare aint[];

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp