Fix integer-overflow problem in intarray's g_int_decompress().

An array element equal to INT_MAX gave this code indigestion, causing an infinite loop that surely ended in SIGSEGV. We fixed some nearby problems awhile ago (cf 757c5182f) but missed this. Report and diagnosis by Alexander Lakhin (bug #18273); patch by me Discussion: https://postgr.es/m/18273-9a832d1da122600c@postgresql.org
2025-06-11 20:28:21 +03:00 · 2024-01-07 15:19:50 -05:00
parent 714a987bc1
commit cf6f802bf5
4 changed files with 27 additions and 22 deletions
--- a/contrib/intarray/_int_gist.c
+++ b/contrib/intarray/_int_gist.c
@ -297,8 +297,7 @@ g_int_decompress(PG_FUNCTION_ARGS)
 	ArrayType  *in;
 	int			lenin;
 	int		   *din;
-	int			i,
-				j;
+	int			i;

 	in = DatumGetArrayTypeP(entry->key);

@ -342,9 +341,12 @@ g_int_decompress(PG_FUNCTION_ARGS)
 	dr = ARRPTR(r);

 	for (i = 0; i < lenin; i += 2)
-		for (j = din[i]; j <= din[i + 1]; j++)
+	{
+		/* use int64 for j in case din[i + 1] is INT_MAX */
+		for (int64 j = din[i]; j <= din[i + 1]; j++)
 			if ((!i) || *(dr - 1) != j)
-				*dr++ = j;
+				*dr++ = (int) j;
+	}

 	if (in != (ArrayType *) DatumGetPointer(entry->key))
 		pfree(in);