From 670fb9f187cd75b6928cc044897a1f468439e19d Mon Sep 17 00:00:00 2001 From: Nathan Bossart Date: Tue, 23 Jul 2024 21:59:02 -0500 Subject: Detect integer overflow in array_set_slice(). When provided an empty initial array, array_set_slice() fails to check for overflow when computing the new array's dimensions. While such overflows are ordinarily caught by ArrayGetNItems(), commands with the following form are accepted: INSERT INTO t (i[-2147483648:2147483647]) VALUES ('{}'); To fix, perform the hazardous computations using overflow-detecting arithmetic routines. As with commit 18b585155a, the added test cases generate errors that include a platform-dependent value, so we again use psql's VERBOSITY parameter to suppress printing the message text. Reported-by: Alexander Lakhin Author: Joseph Koshakow Reviewed-by: Jian He Discussion: https://postgr.es/m/31ad2cd1-db94-bdb3-f91a-65ffdb4bef95%40gmail.com Backpatch-through: 12 --- src/backend/utils/adt/arrayfuncs.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'src/backend/utils/adt/arrayfuncs.c') diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c index 0071f7d2f4c..ce659b554ef 100644 --- a/src/backend/utils/adt/arrayfuncs.c +++ b/src/backend/utils/adt/arrayfuncs.c @@ -2899,7 +2899,14 @@ array_set_slice(Datum arraydatum, errdetail("When assigning to a slice of an empty array value," " slice boundaries must be fully specified."))); - dim[i] = 1 + upperIndx[i] - lowerIndx[i]; + /* compute "upperIndx[i] - lowerIndx[i] + 1", detecting overflow */ + if (pg_sub_s32_overflow(upperIndx[i], lowerIndx[i], &dim[i]) || + pg_add_s32_overflow(dim[i], 1, &dim[i])) + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("array size exceeds the maximum allowed (%d)", + (int) MaxArraySize))); + lb[i] = lowerIndx[i]; } -- cgit v1.2.3