mirror of
https://github.com/postgres/postgres.git
synced 2025-06-10 09:21:54 +03:00
Detect integer overflow in array_set_slice().
When provided an empty initial array, array_set_slice() fails to
check for overflow when computing the new array's dimensions.
While such overflows are ordinarily caught by ArrayGetNItems(),
commands with the following form are accepted:
INSERT INTO t (i[-2147483648:2147483647]) VALUES ('{}');
To fix, perform the hazardous computations using overflow-detecting
arithmetic routines. As with commit 18b585155a
, the added test
cases generate errors that include a platform-dependent value, so
we again use psql's VERBOSITY parameter to suppress printing the
message text.
Reported-by: Alexander Lakhin
Author: Joseph Koshakow
Reviewed-by: Jian He
Discussion: https://postgr.es/m/31ad2cd1-db94-bdb3-f91a-65ffdb4bef95%40gmail.com
Backpatch-through: 12
This commit is contained in:
src
@ -2923,7 +2923,14 @@ array_set_slice(Datum arraydatum,
|
||||
errdetail("When assigning to a slice of an empty array value,"
|
||||
" slice boundaries must be fully specified.")));
|
||||
|
||||
dim[i] = 1 + upperIndx[i] - lowerIndx[i];
|
||||
/* compute "upperIndx[i] - lowerIndx[i] + 1", detecting overflow */
|
||||
if (pg_sub_s32_overflow(upperIndx[i], lowerIndx[i], &dim[i]) ||
|
||||
pg_add_s32_overflow(dim[i], 1, &dim[i]))
|
||||
ereport(ERROR,
|
||||
(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
|
||||
errmsg("array size exceeds the maximum allowed (%d)",
|
||||
(int) MaxArraySize)));
|
||||
|
||||
lb[i] = lowerIndx[i];
|
||||
}
|
||||
|
||||
|
@ -1427,6 +1427,10 @@ update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
|
||||
ERROR: 54000
|
||||
update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
|
||||
ERROR: 54000
|
||||
insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}');
|
||||
ERROR: 54000
|
||||
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}');
|
||||
ERROR: 54000
|
||||
-- also exercise the expanded-array case
|
||||
do $$ declare a int[];
|
||||
begin
|
||||
|
@ -447,6 +447,8 @@ reset enable_bitmapscan;
|
||||
insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
|
||||
update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
|
||||
update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
|
||||
insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}');
|
||||
insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}');
|
||||
|
||||
-- also exercise the expanded-array case
|
||||
do $$ declare a int[];
|
||||
|
Reference in New Issue
Block a user