Only adjust negative indexes in json_get up to the length of the path.

The previous code resulted in memory access beyond the path bounds. The cure is to move it into a code branch that checks the value of lex_level is within the correct bounds. Bug reported and diagnosed by Piotr Stefaniak.
2025-05-03 22:24:49 +03:00 · 2015-07-28 17:54:13 -04:00 · 2015-07-28 17:54:13 -04:00 · 40a50a17b9
commit 40a50a17b9
parent 116be6c171
1 changed files with 13 additions and 13 deletions
--- a/src/backend/utils/adt/jsonfuncs.c
+++ b/src/backend/utils/adt/jsonfuncs.c
@ -977,16 +977,6 @@ get_array_start(void *state)
 	{
 		/* Initialize counting of elements in this array */
 		_state->array_cur_index[lex_level] = -1;
-	}
-	else if (lex_level == 0 && _state->npath == 0)
-	{
-		/*
-		 * Special case: we should match the entire array.  We only need this
-		 * at outermost level because at nested levels the match will have
-		 * been started by the outer field or array element callback.
-		 */
-		_state->result_start = _state->lex->token_start;
-	}

 		/* INT_MIN value is reserved to represent invalid subscript */
 		if (_state->path_indexes[lex_level] < 0 &&
@ -999,6 +989,16 @@ get_array_start(void *state)
 				_state->path_indexes[lex_level] += nelements;
 		}
 	}
+	else if (lex_level == 0 && _state->npath == 0)
+	{
+		/*
+		 * Special case: we should match the entire array.  We only need this
+		 * at the outermost level because at nested levels the match will
+		 * have been started by the outer field or array element callback.
+		 */
+		_state->result_start = _state->lex->token_start;
+	}
+}

 static void
 get_array_end(void *state)