diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2024-01-07 15:19:50 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2024-01-07 15:19:50 -0500 |
| commit | 940ab02b53eb3a3babc9dd4dea261f5a6d8aa334 (patch) | |
| tree | 9fd0c30e643e7ed98d6b0afd750e1c63d9f05a94 /contrib/intarray/_int_gist.c | |
| parent | 1a7c03e6fc75d2a5ee4893252d47f0549f078494 (diff) | |
| download | postgresql-940ab02b53eb3a3babc9dd4dea261f5a6d8aa334.tar.gz postgresql-940ab02b53eb3a3babc9dd4dea261f5a6d8aa334.zip | |
Fix integer-overflow problem in intarray's g_int_decompress().
An array element equal to INT_MAX gave this code indigestion,
causing an infinite loop that surely ended in SIGSEGV. We fixed
some nearby problems awhile ago (cf 757c5182f) but missed this.
Report and diagnosis by Alexander Lakhin (bug #18273); patch by me
Discussion: https://postgr.es/m/18273-9a832d1da122600c@postgresql.org
Diffstat (limited to 'contrib/intarray/_int_gist.c')
| -rw-r--r-- | contrib/intarray/_int_gist.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/contrib/intarray/_int_gist.c b/contrib/intarray/_int_gist.c index ea79c4bb51f..5d46b6bc13e 100644 --- a/contrib/intarray/_int_gist.c +++ b/contrib/intarray/_int_gist.c @@ -296,8 +296,7 @@ g_int_decompress(PG_FUNCTION_ARGS) ArrayType *in; int lenin; int *din; - int i, - j; + int i; in = DatumGetArrayTypeP(entry->key); @@ -341,9 +340,12 @@ g_int_decompress(PG_FUNCTION_ARGS) dr = ARRPTR(r); for (i = 0; i < lenin; i += 2) - for (j = din[i]; j <= din[i + 1]; j++) + { + /* use int64 for j in case din[i + 1] is INT_MAX */ + for (int64 j = din[i]; j <= din[i + 1]; j++) if ((!i) || *(dr - 1) != j) - *dr++ = j; + *dr++ = (int) j; + } if (in != (ArrayType *) DatumGetPointer(entry->key)) pfree(in); |