Don't read fields of a misaligned ExpandedObjectHeader or AnyArrayType.

nmisch · nmisch · commit cd9d48969d94 · 2019-06-30T17:34:20.000-07:00
UBSan complains about this. Instead, cast to a suitable type requiring only 4-byte alignment. DatumGetAnyArrayP() already assumes one can cast between AnyArrayType and ArrayType, so this doesn't introduce a new assumption. Back-patch to 9.5, where AnyArrayType was introduced. Reviewed by Tom Lane. Discussion: https://postgr.es/m/20190629210334.GA1244217@rfd.leadboat.com
diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c
@@ -4108,7 +4108,7 @@ array_contain_compare(AnyArrayType *array1, AnyArrayType *array2, Oid collation,
 		nelems2 = array2->xpn.nelems;
 	}
 	else
-		deconstruct_array(&(array2->flt),
+		deconstruct_array((ArrayType *) array2,
 						  element_type, typlen, typbyval, typalign,
 						  &values2, &nulls2, &nelems2);
 
diff --git a/src/include/utils/array.h b/src/include/utils/array.h
@@ -153,7 +153,10 @@ typedef struct ExpandedArrayHeader
 
 /*
  * Functions that can handle either a "flat" varlena array or an expanded
- * array use this union to work with their input.
+ * array use this union to work with their input.  Don't refer to "flt";
+ * instead, cast to ArrayType.  This struct nominally requires 8-byte
+ * alignment on 64-bit, but it's often used for an ArrayType having 4-byte
+ * alignment.  UBSan complains about referencing "flt" in such cases.
  */
 typedef union AnyArrayType
 {
@@ -307,17 +310,21 @@ typedef struct ArrayIteratorData *ArrayIterator;
  * Macros for working with AnyArrayType inputs.  Beware multiple references!
  */
 #define AARR_NDIM(a) \
-	(VARATT_IS_EXPANDED_HEADER(a) ? (a)->xpn.ndims : ARR_NDIM(&(a)->flt))
+	(VARATT_IS_EXPANDED_HEADER(a) ? \
+	 (a)->xpn.ndims : ARR_NDIM((ArrayType *) (a)))
 #define AARR_HASNULL(a) \
 	(VARATT_IS_EXPANDED_HEADER(a) ? \
 	 ((a)->xpn.dvalues != NULL ? (a)->xpn.dnulls != NULL : ARR_HASNULL((a)->xpn.fvalue)) : \
-	 ARR_HASNULL(&(a)->flt))
+	 ARR_HASNULL((ArrayType *) (a)))
 #define AARR_ELEMTYPE(a) \
-	(VARATT_IS_EXPANDED_HEADER(a) ? (a)->xpn.element_type : ARR_ELEMTYPE(&(a)->flt))
+	(VARATT_IS_EXPANDED_HEADER(a) ? \
+	 (a)->xpn.element_type : ARR_ELEMTYPE((ArrayType *) (a)))
 #define AARR_DIMS(a) \
-	(VARATT_IS_EXPANDED_HEADER(a) ? (a)->xpn.dims : ARR_DIMS(&(a)->flt))
+	(VARATT_IS_EXPANDED_HEADER(a) ? \
+	 (a)->xpn.dims : ARR_DIMS((ArrayType *) (a)))
 #define AARR_LBOUND(a) \
-	(VARATT_IS_EXPANDED_HEADER(a) ? (a)->xpn.lbound : ARR_LBOUND(&(a)->flt))
+	(VARATT_IS_EXPANDED_HEADER(a) ? \
+	 (a)->xpn.lbound : ARR_LBOUND((ArrayType *) (a)))
 
 
 /*
diff --git a/src/include/utils/arrayaccess.h b/src/include/utils/arrayaccess.h
@@ -71,8 +71,8 @@ array_iter_setup(array_iter *it, AnyArrayType *a)
 	{
 		it->datumptr = NULL;
 		it->isnullptr = NULL;
-		it->dataptr = ARR_DATA_PTR(&a->flt);
-		it->bitmapptr = ARR_NULLBITMAP(&a->flt);
+		it->dataptr = ARR_DATA_PTR((ArrayType *) a);
+		it->bitmapptr = ARR_NULLBITMAP((ArrayType *) a);
 	}
 	it->bitmask = 1;
 }
diff --git a/src/include/utils/expandeddatum.h b/src/include/utils/expandeddatum.h
@@ -126,7 +126,7 @@ struct ExpandedObjectHeader
  */
 #define EOH_HEADER_MAGIC (-1)
 #define VARATT_IS_EXPANDED_HEADER(PTR) \
-	(((ExpandedObjectHeader *) (PTR))->vl_len_ == EOH_HEADER_MAGIC)
+	(((varattrib_4b *) (PTR))->va_4byte.va_header == EOH_HEADER_MAGIC)
 
 /*
  * Generic support functions for expanded objects.

Original file line number	Diff line number	Diff line change
`@@ -4108,7 +4108,7 @@ array_contain_compare(AnyArrayType array1, AnyArrayType array2, Oid collation,`
`4108`	`4108`	`nelems2 = array2->xpn.nelems;`
`4109`	`4109`	`}`
`4110`	`4110`	`else`
`4111`		`- deconstruct_array(&(array2->flt),`
	`4111`	`+ deconstruct_array((ArrayType *) array2,`
`4112`	`4112`	`element_type, typlen, typbyval, typalign,`
`4113`	`4113`	`&values2, &nulls2, &nelems2);`
`4114`	`4114`
Original file line number	Diff line number	Diff line change
`@@ -71,8 +71,8 @@ array_iter_setup(array_iter it, AnyArrayType a)`
`71`	`71`	`{`
`72`	`72`	`it->datumptr = NULL;`
`73`	`73`	`it->isnullptr = NULL;`
`74`		`- it->dataptr = ARR_DATA_PTR(&a->flt);`
`75`		`- it->bitmapptr = ARR_NULLBITMAP(&a->flt);`
	`74`	`+ it->dataptr = ARR_DATA_PTR((ArrayType *) a);`
	`75`	`+ it->bitmapptr = ARR_NULLBITMAP((ArrayType *) a);`
`76`	`76`	`}`
`77`	`77`	`it->bitmask = 1;`
`78`	`78`	`}`