diff options
| author | Nathan Bossart <nathan@postgresql.org> | 2024-07-23 21:59:02 -0500 |
|---|---|---|
| committer | Nathan Bossart <nathan@postgresql.org> | 2024-07-23 21:59:02 -0500 |
| commit | 991f8cf8abe244547093ddffcc4b9209076f3525 (patch) | |
| tree | a7ee537470cc30dcc85c669e4638be008831ae31 /src | |
| parent | d3cc5ffe81f64c6418ba9b18a9db32392f8027e6 (diff) | |
| download | postgresql-991f8cf8abe244547093ddffcc4b9209076f3525.tar.gz postgresql-991f8cf8abe244547093ddffcc4b9209076f3525.zip | |
Detect integer overflow in array_set_slice().
When provided an empty initial array, array_set_slice() fails to
check for overflow when computing the new array's dimensions.
While such overflows are ordinarily caught by ArrayGetNItems(),
commands with the following form are accepted:
INSERT INTO t (i[-2147483648:2147483647]) VALUES ('{}');
To fix, perform the hazardous computations using overflow-detecting
arithmetic routines. As with commit 18b585155a, the added test
cases generate errors that include a platform-dependent value, so
we again use psql's VERBOSITY parameter to suppress printing the
message text.
Reported-by: Alexander Lakhin
Author: Joseph Koshakow
Reviewed-by: Jian He
Discussion: https://postgr.es/m/31ad2cd1-db94-bdb3-f91a-65ffdb4bef95%40gmail.com
Backpatch-through: 12
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/utils/adt/arrayfuncs.c | 9 | ||||
| -rw-r--r-- | src/test/regress/expected/arrays.out | 4 | ||||
| -rw-r--r-- | src/test/regress/sql/arrays.sql | 2 |
3 files changed, 14 insertions, 1 deletions
diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c index d6641b570d5..e5c7e57a5de 100644 --- a/src/backend/utils/adt/arrayfuncs.c +++ b/src/backend/utils/adt/arrayfuncs.c @@ -2887,7 +2887,14 @@ array_set_slice(Datum arraydatum, errdetail("When assigning to a slice of an empty array value," " slice boundaries must be fully specified."))); - dim[i] = 1 + upperIndx[i] - lowerIndx[i]; + /* compute "upperIndx[i] - lowerIndx[i] + 1", detecting overflow */ + if (pg_sub_s32_overflow(upperIndx[i], lowerIndx[i], &dim[i]) || + pg_add_s32_overflow(dim[i], 1, &dim[i])) + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("array size exceeds the maximum allowed (%d)", + (int) MaxArraySize))); + lb[i] = lowerIndx[i]; } diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out index 23404982f71..a6d81fd5f92 100644 --- a/src/test/regress/expected/arrays.out +++ b/src/test/regress/expected/arrays.out @@ -1427,6 +1427,10 @@ update arr_pk_tbl set f1[2147483647] = 42 where pk = 10; ERROR: 54000 update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10; ERROR: 54000 +insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}'); +ERROR: 54000 +insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}'); +ERROR: 54000 -- also exercise the expanded-array case do $$ declare a int[]; begin diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql index 50aa539fdc1..47058dfde50 100644 --- a/src/test/regress/sql/arrays.sql +++ b/src/test/regress/sql/arrays.sql @@ -447,6 +447,8 @@ reset enable_bitmapscan; insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}'); update arr_pk_tbl set f1[2147483647] = 42 where pk = 10; update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10; +insert into arr_pk_tbl(pk, f1[0:2147483647]) values (2, '{}'); +insert into arr_pk_tbl(pk, f1[-2147483648:2147483647]) values (2, '{}'); -- also exercise the expanded-array case do $$ declare a int[]; |