search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: d3cc5ff) | patch
Detect integer overflow in array_set_slice().
commit991f8cf8abe244547093ddffcc4b9209076f3525
authorNathan Bossart <nathan@postgresql.org>
Wed, 24 Jul 2024 02:59:02 +0000 (23 21:59 -0500)
committerNathan Bossart <nathan@postgresql.org>
Wed, 24 Jul 2024 02:59:02 +0000 (23 21:59 -0500)
treea7ee537470cc30dcc85c669e4638be008831ae31tree | snapshot (tar.gz zip)
parentd3cc5ffe81f64c6418ba9b18a9db32392f8027e6commit | diff
Detect integer overflow in array_set_slice().

When provided an empty initial array, array_set_slice() fails to
check for overflow when computing the new array's dimensions.
While such overflows are ordinarily caught by ArrayGetNItems(),
commands with the following form are accepted:

INSERT INTO t (i[-2147483648:2147483647]) VALUES ('{}');

To fix, perform the hazardous computations using overflow-detecting
arithmetic routines.  As with commit 18b585155a, the added test
cases generate errors that include a platform-dependent value, so
we again use psql's VERBOSITY parameter to suppress printing the
message text.

Reported-by: Alexander Lakhin
Author: Joseph Koshakow
Reviewed-by: Jian He
Discussion: https://postgr.es/m/31ad2cd1-db94-bdb3-f91a-65ffdb4bef95%40gmail.com
Backpatch-through: 12
src/backend/utils/adt/arrayfuncs.c diff | blob | blame | history
src/test/regress/expected/arrays.out diff | blob | blame | history
src/test/regress/sql/arrays.sql diff | blob | blame | history
Postgresql Clone from git://git.postgresql.org/git/postgresql.git