Skip to content

Commit 991f8cf

Browse files
nathan-bossartnathan-bossart
committed
Detect integer overflow in array_set_slice().
When provided an empty initial array, array_set_slice() fails to check for overflow when computing the new array's dimensions. While such overflows are ordinarily caught by ArrayGetNItems(), commands with the following form are accepted: INSERT INTO t (i[-2147483648:2147483647]) VALUES ('{}'); To fix, perform the hazardous computations using overflow-detecting arithmetic routines. As with commit 18b5851, the added test cases generate errors that include a platform-dependent value, so we again use psql's VERBOSITY parameter to suppress printing the message text. Reported-by: Alexander Lakhin Author: Joseph Koshakow Reviewed-by: Jian He Discussion: https://postgr.es/m/31ad2cd1-db94-bdb3-f91a-65ffdb4bef95%40gmail.com Backpatch-through: 12
1 parent d3cc5ff commit 991f8cf

File tree

3 files changed

+14
-1
lines changed

3 files changed

+14
-1
lines changed

src/backend/utils/adt/arrayfuncs.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2887,7 +2887,14 @@ array_set_slice(Datum arraydatum,
28872887
errdetail("When assigning to a slice of an empty array value,"
28882888
" slice boundaries must be fully specified.")));
28892889

2890-
dim[i] = 1 + upperIndx[i] - lowerIndx[i];
2890+
/* compute "upperIndx[i] - lowerIndx[i] + 1", detecting overflow */
2891+
if (pg_sub_s32_overflow(upperIndx[i], lowerIndx[i], &dim[i]) ||
2892+
pg_add_s32_overflow(dim[i], 1, &dim[i]))
2893+
ereport(ERROR,
2894+
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
2895+
errmsg("array size exceeds the maximum allowed (%d)",
2896+
(int) MaxArraySize)));
2897+
28912898
lb[i] = lowerIndx[i];
28922899
}
28932900

src/test/regress/expected/arrays.out

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1427,6 +1427,10 @@ update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
14271427
ERROR: 54000
14281428
update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
14291429
ERROR: 54000
1430+
insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}');
1431+
ERROR: 54000
1432+
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}');
1433+
ERROR: 54000
14301434
-- also exercise the expanded-array case
14311435
do $$ declare a int[];
14321436
begin

src/test/regress/sql/arrays.sql

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -447,6 +447,8 @@ reset enable_bitmapscan;
447447
insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
448448
update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
449449
update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
450+
insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}');
451+
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}');
450452

451453
-- also exercise the expanded-array case
452454
do $$ declare a int[];

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy