Guard against overflow in interval_mul() and interval_div().

Commits 146604ec43 and a898b409f6 added overflow checks to
interval_mul(), but not to interval_div(), which contains almost
identical code, and so is susceptible to the same kinds of
overflows. In addition, those checks did not catch all possible
overflow conditions.

Add additional checks to the "cascade down" code in interval_mul(),
and copy all the overflow checks over to the corresponding code in
interval_div(), so that they both generate "interval out of range"
errors, rather than returning bogus results.

Given that these errors are relatively easy to hit, back-patch to all
supported branches.

Per bug #18200 from Alexander Lakhin, and subsequent investigation.

Discussion: https://postgr.es/m/18200-5ea288c7b2d504b1%40postgresql.org

src/backend/utils/adt/timestamp.c

@@ -3548,17 +3548,14 @@ interval_mul(PG_FUNCTION_ARGS)
 	 * interval type has nothing equivalent to NaN.
 	 */
 	if (isnan(factor))
-		ereport(ERROR,
+		goto out_of_range;
-				(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
-				 errmsg("interval out of range")));
 
 	if (INTERVAL_NOT_FINITE(span))
 	{
 		if (factor == 0.0)
-			ereport(ERROR,
+			goto out_of_range;
-					(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+
-					 errmsg("interval out of range")));
+		if (factor < 0.0)
-		else if (factor < 0.0)
 			interval_um_internal(span, result);
 		else
 			memcpy(result, span, sizeof(Interval));
@@ -3570,10 +3567,9 @@ interval_mul(PG_FUNCTION_ARGS)
 		int			isign = interval_sign(span);
 
 		if (isign == 0)
-			ereport(ERROR,
+			goto out_of_range;
-					(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+
-					 errmsg("interval out of range")));
+		if (factor * isign < 0)
-		else if (factor * isign < 0)
 			INTERVAL_NOBEGIN(result);
 		else
 			INTERVAL_NOEND(result);
@@ -3582,19 +3578,13 @@ interval_mul(PG_FUNCTION_ARGS)
 	}
 
 	result_double = span->month * factor;
-	if (isnan(result_double) ||
+	if (isnan(result_double) || !FLOAT8_FITS_IN_INT32(result_double))
-		result_double > INT_MAX || result_double < INT_MIN)
+		goto out_of_range;
-		ereport(ERROR,
-				(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
-				 errmsg("interval out of range")));
 	result->month = (int32) result_double;
 
 	result_double = span->day * factor;
-	if (isnan(result_double) ||
+	if (isnan(result_double) || !FLOAT8_FITS_IN_INT32(result_double))
-		result_double > INT_MAX || result_double < INT_MIN)
+		goto out_of_range;
-		ereport(ERROR,
-				(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
-				 errmsg("interval out of range")));
 	result->day = (int32) result_double;
 
 	/*
@@ -3628,25 +3618,33 @@ interval_mul(PG_FUNCTION_ARGS)
 	 */
 	if (fabs(sec_remainder) >= SECS_PER_DAY)
 	{
-		result->day += (int) (sec_remainder / SECS_PER_DAY);
+		if (pg_add_s32_overflow(result->day,
+								(int) (sec_remainder / SECS_PER_DAY),
+								&result->day))
+			goto out_of_range;
 		sec_remainder -= (int) (sec_remainder / SECS_PER_DAY) * SECS_PER_DAY;
 	}
 
 	/* cascade units down */
-	result->day += (int32) month_remainder_days;
+	if (pg_add_s32_overflow(result->day, (int32) month_remainder_days,
+							&result->day))
+		goto out_of_range;
 	result_double = rint(span->time * factor + sec_remainder * USECS_PER_SEC);
 	if (isnan(result_double) || !FLOAT8_FITS_IN_INT64(result_double))
-		ereport(ERROR,
+		goto out_of_range;
-				(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
-				 errmsg("interval out of range")));
 	result->time = (int64) result_double;
 
 	if (INTERVAL_NOT_FINITE(result))
-		ereport(ERROR,
+		goto out_of_range;
-				(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
-				 errmsg("interval out of range")));
 
 	PG_RETURN_INTERVAL_P(result);
+
+out_of_range:
+	ereport(ERROR,
+			errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+			errmsg("interval out of range"));
+
+	PG_RETURN_NULL();			/* keep compiler quiet */
 }
 
 Datum
@@ -3665,7 +3663,8 @@ interval_div(PG_FUNCTION_ARGS)
 	Interval   *span = PG_GETARG_INTERVAL_P(0);
 	float8		factor = PG_GETARG_FLOAT8(1);
 	double		month_remainder_days,
-				sec_remainder;
+				sec_remainder,
+				result_double;
 	int32		orig_month = span->month,
 				orig_day = span->day;
 	Interval   *result;
@@ -3685,16 +3684,12 @@ interval_div(PG_FUNCTION_ARGS)
 	 * by the regular division code, causing all fields to be set to zero.
 	 */
 	if (isnan(factor))
-		ereport(ERROR,
+		goto out_of_range;
-				(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
-				 errmsg("interval out of range")));
 
 	if (INTERVAL_NOT_FINITE(span))
 	{
 		if (isinf(factor))
-			ereport(ERROR,
+			goto out_of_range;
-					(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
-					 errmsg("interval out of range")));
 
 		if (factor < 0.0)
 			interval_um_internal(span, result);
@@ -3704,8 +3699,15 @@ interval_div(PG_FUNCTION_ARGS)
 		PG_RETURN_INTERVAL_P(result);
 	}
 
-	result->month = (int32) (span->month / factor);
+	result_double = span->month / factor;
-	result->day = (int32) (span->day / factor);
+	if (isnan(result_double) || !FLOAT8_FITS_IN_INT32(result_double))
+		goto out_of_range;
+	result->month = (int32) result_double;
+
+	result_double = span->day / factor;
+	if (isnan(result_double) || !FLOAT8_FITS_IN_INT32(result_double))
+		goto out_of_range;
+	result->day = (int32) result_double;
 
 	/*
 	 * Fractional months full days into days.  See comment in interval_mul().
@@ -3717,20 +3719,33 @@ interval_div(PG_FUNCTION_ARGS)
 	sec_remainder = TSROUND(sec_remainder);
 	if (fabs(sec_remainder) >= SECS_PER_DAY)
 	{
-		result->day += (int) (sec_remainder / SECS_PER_DAY);
+		if (pg_add_s32_overflow(result->day,
+								(int) (sec_remainder / SECS_PER_DAY),
+								&result->day))
+			goto out_of_range;
 		sec_remainder -= (int) (sec_remainder / SECS_PER_DAY) * SECS_PER_DAY;
 	}
 
 	/* cascade units down */
-	result->day += (int32) month_remainder_days;
+	if (pg_add_s32_overflow(result->day, (int32) month_remainder_days,
-	result->time = rint(span->time / factor + sec_remainder * USECS_PER_SEC);
+							&result->day))
+		goto out_of_range;
+	result_double = rint(span->time / factor + sec_remainder * USECS_PER_SEC);
+	if (isnan(result_double) || !FLOAT8_FITS_IN_INT64(result_double))
+		goto out_of_range;
+	result->time = (int64) result_double;
 
 	if (INTERVAL_NOT_FINITE(result))
-		ereport(ERROR,
+		goto out_of_range;
-				(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
-				 errmsg("interval out of range")));
 
 	PG_RETURN_INTERVAL_P(result);
+
+out_of_range:
+	ereport(ERROR,
+			errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+			errmsg("interval out of range"));
+
+	PG_RETURN_NULL();			/* keep compiler quiet */
 }
 
 

src/test/regress/expected/interval.out

@@ -488,6 +488,19 @@ SELECT * FROM INTERVAL_TBL;
  -infinity
 (12 rows)
 
+-- multiplication and division overflow test cases
+SELECT '3000000 months'::interval * 1000;
+ERROR:  interval out of range
+SELECT '3000000 months'::interval / 0.001;
+ERROR:  interval out of range
+SELECT '3000000 days'::interval * 1000;
+ERROR:  interval out of range
+SELECT '3000000 days'::interval / 0.001;
+ERROR:  interval out of range
+SELECT '1 month 2146410 days'::interval * 1000.5002;
+ERROR:  interval out of range
+SELECT '4611686018427387904 usec'::interval / 0.1;
+ERROR:  interval out of range
 -- test avg(interval), which is somewhat fragile since people have been
 -- known to change the allowed input syntax for type interval without
 -- updating pg_aggregate.agginitval

src/test/regress/sql/interval.sql

@@ -154,6 +154,14 @@ SET IntervalStyle to postgres_verbose;
 
 SELECT * FROM INTERVAL_TBL;
 
+-- multiplication and division overflow test cases
+SELECT '3000000 months'::interval * 1000;
+SELECT '3000000 months'::interval / 0.001;
+SELECT '3000000 days'::interval * 1000;
+SELECT '3000000 days'::interval / 0.001;
+SELECT '1 month 2146410 days'::interval * 1000.5002;
+SELECT '4611686018427387904 usec'::interval / 0.1;
+
 -- test avg(interval), which is somewhat fragile since people have been
 -- known to change the allowed input syntax for type interval without
 -- updating pg_aggregate.agginitval