NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitbdd8ed9

committed

Fix miscalculation of itemsafter in array_set_slice().

If the slice to be assigned to was before the existing array lower bound(requiring at least one null element to spring into existence to fill thegap), the code miscalculated how many entries needed to be copied fromthe old array's null bitmap. This could result in trashing the array'sdata area (as seen in bug #5840 from Karsten Loesing), or worse.This has been broken since we first allowed the behavior of assigning tonon-adjacent slices, in 8.2. Back-patch to all affected versions.

1 parent978445b commitbdd8ed9Copy full SHA for bdd8ed9

File tree

1 file changed

-1

lines changed

src/backend/utils/adt
- arrayfuncs.c

1 file changed

-1

lines changed

`‎src/backend/utils/adt/arrayfuncs.c`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2500,6 +2500,7 @@ array_set_slice(ArrayType *array,`
`2500`	`2500`	`{`
`2501`	`2501`	`/*`
`2502`	`2502`	`* here we must allow for possibility of slice larger than orig array`
	`2503`	`+ * and/or not adjacent to orig array subscripts`
`2503`	`2504`	`*/`
`2504`	`2505`	`intoldlb=ARR_LBOUND(array)[0];`
`2505`	`2506`	`intoldub=oldlb+ARR_DIMS(array)[0]-1;`
`@@ -2508,10 +2509,12 @@ array_set_slice(ArrayType *array,`
`2508`	`2509`	`char*oldarraydata=ARR_DATA_PTR(array);`
`2509`	`2510`	`bits8*oldarraybitmap=ARR_NULLBITMAP(array);`
`2510`	`2511`
	`2512`	`+/* count/size of old array entries that will go before the slice */`
`2511`	`2513`	`itemsbefore=Min(slicelb,oldub+1)-oldlb;`
`2512`	`2514`	`lenbefore=array_nelems_size(oldarraydata,0,oldarraybitmap,`
`2513`	`2515`	`itemsbefore,`
`2514`	`2516`	`elmlen,elmbyval,elmalign);`
	`2517`	`+/* count/size of old array entries that will be replaced by slice */`
`2515`	`2518`	`if (slicelb>sliceub)`
`2516`	`2519`	`{`
`2517`	`2520`	`nolditems=0;`
`@@ -2525,7 +2528,8 @@ array_set_slice(ArrayType *array,`
`2525`	`2528`	`nolditems,`
`2526`	`2529`	`elmlen,elmbyval,elmalign);`
`2527`	`2530`	`}`
`2528`		`-itemsafter=oldub-sliceub;`
	`2531`	`+/* count/size of old array entries that will go after the slice */`
	`2532`	`+itemsafter=oldub+1-Max(sliceub+1,oldlb);`
`2529`	`2533`	`lenafter=olddatasize-lenbefore-olditemsize;`
`2530`	`2534`	`}`
`2531`	`2535`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbdd8ed9

File tree

1 file changed

1 file changed

`‎src/backend/utils/adt/arrayfuncs.c`

0 commit comments