From 1c7443521f856dfb5f6731ff6fc0865a67a29f14 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Sun, 7 Jan 2024 15:19:50 -0500 Subject: Fix integer-overflow problem in intarray's g_int_decompress(). An array element equal to INT_MAX gave this code indigestion, causing an infinite loop that surely ended in SIGSEGV. We fixed some nearby problems awhile ago (cf 757c5182f) but missed this. Report and diagnosis by Alexander Lakhin (bug #18273); patch by me Discussion: https://postgr.es/m/18273-9a832d1da122600c@postgresql.org --- contrib/intarray/_int_gist.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'contrib/intarray/_int_gist.c') diff --git a/contrib/intarray/_int_gist.c b/contrib/intarray/_int_gist.c index 1213c5250f8..62cd9ba9794 100644 --- a/contrib/intarray/_int_gist.c +++ b/contrib/intarray/_int_gist.c @@ -287,8 +287,7 @@ g_int_decompress(PG_FUNCTION_ARGS) ArrayType *in; int lenin; int *din; - int i, - j; + int i; in = DatumGetArrayTypeP(entry->key); @@ -332,9 +331,12 @@ g_int_decompress(PG_FUNCTION_ARGS) dr = ARRPTR(r); for (i = 0; i < lenin; i += 2) - for (j = din[i]; j <= din[i + 1]; j++) + { + /* use int64 for j in case din[i + 1] is INT_MAX */ + for (int64 j = din[i]; j <= din[i + 1]; j++) if ((!i) || *(dr - 1) != j) - *dr++ = j; + *dr++ = (int) j; + } if (in != (ArrayType *) DatumGetPointer(entry->key)) pfree(in); -- cgit v1.2.3