NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit9e7432f

committed

Fix integer-overflow problem in intarray's g_int_decompress().

An array element equal to INT_MAX gave this code indigestion,causing an infinite loop that surely ended in SIGSEGV. We fixedsome nearby problems awhile ago (cf757c518) but missed this.Report and diagnosis by Alexander Lakhin (bug #18273); patch by meDiscussion:https://postgr.es/m/18273-9a832d1da122600c@postgresql.org

1 parent60de25c commit9e7432fCopy full SHA for 9e7432f

File tree

4 files changed

+27

-22

lines changed

contrib/intarray
- _int_gist.c
- data
  - test__int.data
- expected
  - _int.out
- sql
  - _int.sql

4 files changed

+27

-22

lines changed

`‎contrib/intarray/_int_gist.c`

Lines changed: 6 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -290,8 +290,7 @@ g_int_decompress(PG_FUNCTION_ARGS)`
`290`	`290`	`ArrayType*in;`
`291`	`291`	`intlenin;`
`292`	`292`	`int*din;`
`293`		`-inti,`
`294`		`-j;`
	`293`	`+inti;`
`295`	`294`
`296`	`295`	`in=DatumGetArrayTypeP(entry->key);`
`297`	`296`
`@@ -335,9 +334,12 @@ g_int_decompress(PG_FUNCTION_ARGS)`
`335`	`334`	`dr=ARRPTR(r);`
`336`	`335`
`337`	`336`	`for (i=0;i<lenin;i+=2)`
`338`		`-for (j=din[i];j <=din[i+1];j++)`
	`337`	`+{`
	`338`	`+/* use int64 for j in case din[i + 1] is INT_MAX */`
	`339`	`+for (int64j=din[i];j <=din[i+1];j++)`
`339`	`340`	`if ((!i)\|\|*(dr-1)!=j)`
`340`		`-*dr++=j;`
	`341`	`+*dr++= (int)j;`
	`342`	`+}`
`341`	`343`
`342`	`344`	`if (in!= (ArrayType*)DatumGetPointer(entry->key))`
`343`	`345`	`pfree(in);`

`‎contrib/intarray/data/test__int.data`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -6998,3 +6998,4 @@`
`6998`	`6998`	`{173,208,229}`
`6999`	`6999`	`{6,22,142,267,299}`
`7000`	`7000`	`{22,122,173,245,293}`
	`7001`	`+{1,2,101,102,201,202,2147483647}`

`‎contrib/intarray/expected/_int.out`

Lines changed: 17 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -464,13 +464,13 @@ SELECT count(*) from test__int WHERE a @@ '(20&23)\|(50&68)';`
`464`	`464`	`SELECT count(*) from test__int WHERE a @@ '20 \| !21';`
`465`	`465`	`count`
`466`	`466`	`-------`
`467`		`-6566`
	`467`	`+6567`
`468`	`468`	`(1 row)`
`469`	`469`
`470`	`470`	`SELECT count(*) from test__int WHERE a @@ '!20 & !21';`
`471`	`471`	`count`
`472`	`472`	`-------`
`473`		`-6343`
	`473`	`+6344`
`474`	`474`	`(1 row)`
`475`	`475`
`476`	`476`	`SET enable_seqscan = off; -- not all of these would use index by default`
`@@ -538,13 +538,13 @@ SELECT count(*) from test__int WHERE a @@ '(20&23)\|(50&68)';`
`538`	`538`	`SELECT count(*) from test__int WHERE a @@ '20 \| !21';`
`539`	`539`	`count`
`540`	`540`	`-------`
`541`		`-6566`
	`541`	`+6567`
`542`	`542`	`(1 row)`
`543`	`543`
`544`	`544`	`SELECT count(*) from test__int WHERE a @@ '!20 & !21';`
`545`	`545`	`count`
`546`	`546`	`-------`
`547`		`-6343`
	`547`	`+6344`
`548`	`548`	`(1 row)`
`549`	`549`
`550`	`550`	`INSERT INTO test__int SELECT array(SELECT x FROM generate_series(1, 1001) x); -- should fail`
`@@ -620,13 +620,13 @@ SELECT count(*) from test__int WHERE a @@ '(20&23)\|(50&68)';`
`620`	`620`	`SELECT count(*) from test__int WHERE a @@ '20 \| !21';`
`621`	`621`	`count`
`622`	`622`	`-------`
`623`		`-6566`
	`623`	`+6567`
`624`	`624`	`(1 row)`
`625`	`625`
`626`	`626`	`SELECT count(*) from test__int WHERE a @@ '!20 & !21';`
`627`	`627`	`count`
`628`	`628`	`-------`
`629`		`-6343`
	`629`	`+6344`
`630`	`630`	`(1 row)`
`631`	`631`
`632`	`632`	`DROP INDEX text_idx;`
`@@ -700,13 +700,13 @@ SELECT count(*) from test__int WHERE a @@ '(20&23)\|(50&68)';`
`700`	`700`	`SELECT count(*) from test__int WHERE a @@ '20 \| !21';`
`701`	`701`	`count`
`702`	`702`	`-------`
`703`		`-6566`
	`703`	`+6567`
`704`	`704`	`(1 row)`
`705`	`705`
`706`	`706`	`SELECT count(*) from test__int WHERE a @@ '!20 & !21';`
`707`	`707`	`count`
`708`	`708`	`-------`
`709`		`-6343`
	`709`	`+6344`
`710`	`710`	`(1 row)`
`711`	`711`
`712`	`712`	`DROP INDEX text_idx;`
`@@ -774,13 +774,13 @@ SELECT count(*) from test__int WHERE a @@ '(20&23)\|(50&68)';`
`774`	`774`	`SELECT count(*) from test__int WHERE a @@ '20 \| !21';`
`775`	`775`	`count`
`776`	`776`	`-------`
`777`		`-6566`
	`777`	`+6567`
`778`	`778`	`(1 row)`
`779`	`779`
`780`	`780`	`SELECT count(*) from test__int WHERE a @@ '!20 & !21';`
`781`	`781`	`count`
`782`	`782`	`-------`
`783`		`-6343`
	`783`	`+6344`
`784`	`784`	`(1 row)`
`785`	`785`
`786`	`786`	`DROP INDEX text_idx;`
`@@ -848,13 +848,13 @@ SELECT count(*) from test__int WHERE a @@ '(20&23)\|(50&68)';`
`848`	`848`	`SELECT count(*) from test__int WHERE a @@ '20 \| !21';`
`849`	`849`	`count`
`850`	`850`	`-------`
`851`		`-6566`
	`851`	`+6567`
`852`	`852`	`(1 row)`
`853`	`853`
`854`	`854`	`SELECT count(*) from test__int WHERE a @@ '!20 & !21';`
`855`	`855`	`count`
`856`	`856`	`-------`
`857`		`-6343`
	`857`	`+6344`
`858`	`858`	`(1 row)`
`859`	`859`
`860`	`860`	`DROP INDEX text_idx;`
`@@ -870,9 +870,10 @@ DROP INDEX text_idx;`
`870`	`870`	`-- core that would reach the same codepaths.`
`871`	`871`	`CREATE TABLE more__int AS SELECT`
`872`	`872`	`-- Leave alone NULLs, empty arrays and the one row that we use to test`
`873`		`- -- equality`
	`873`	`+ -- equality; also skip INT_MAX`
`874`	`874`	`CASE WHEN a IS NULL OR a = '{}' OR a = '{73,23,20}' THEN a ELSE`
`875`		`- (select array_agg(u) \|\| array_agg(u + 1000) \|\| array_agg(u + 2000) from (select unnest(a) u) x)`
	`875`	`+ (select array_agg(u) \|\| array_agg(u + 1000) \|\| array_agg(u + 2000)`
	`876`	`+ from unnest(a) u where u < 2000000000)`
`876`	`877`	`END AS a, a as b`
`877`	`878`	`FROM test__int;`
`878`	`879`	`CREATE INDEX ON more__int using gist (a gist__int_ops(numranges = 252));`
`@@ -939,13 +940,13 @@ SELECT count(*) from more__int WHERE a @@ '(20&23)\|(50&68)';`
`939`	`940`	`SELECT count(*) from more__int WHERE a @@ '20 \| !21';`
`940`	`941`	`count`
`941`	`942`	`-------`
`942`		`-6566`
	`943`	`+6567`
`943`	`944`	`(1 row)`
`944`	`945`
`945`	`946`	`SELECT count(*) from more__int WHERE a @@ '!20 & !21';`
`946`	`947`	`count`
`947`	`948`	`-------`
`948`		`-6343`
	`949`	`+6344`
`949`	`950`	`(1 row)`
`950`	`951`
`951`	`952`	`RESET enable_seqscan;`

`‎contrib/intarray/sql/_int.sql`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -194,9 +194,10 @@ DROP INDEX text_idx;`
`194`	`194`	`-- core that would reach the same codepaths.`
`195`	`195`	`CREATETABLEmore__intASSELECT`
`196`	`196`	`-- Leave alone NULLs, empty arrays and the one row that we use to test`
`197`		`--- equality`
	`197`	`+-- equality; also skip INT_MAX`
`198`	`198`	`CASE WHEN a ISNULLOR a='{}'OR a='{73,23,20}' THEN a ELSE`
`199`		`- (select array_agg(u)\|\| array_agg(u+1000)\|\| array_agg(u+2000)from (select unnest(a) u) x)`
	`199`	`+ (select array_agg(u)\|\| array_agg(u+1000)\|\| array_agg(u+2000)`
	`200`	`+from unnest(a) uwhere u<2000000000)`
`200`	`201`	`ENDAS a, aas b`
`201`	`202`	`FROM test__int;`
`202`	`203`	`CREATEINDEXON more__int using gist (a gist__int_ops(numranges=252));`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9e7432f

File tree

4 files changed

4 files changed

`‎contrib/intarray/_int_gist.c`

`‎contrib/intarray/data/test__int.data`

`‎contrib/intarray/expected/_int.out`

`‎contrib/intarray/sql/_int.sql`

0 commit comments