|
 |
5d93cf |
Author: Filip Januš <fjanus@redhat.com>
|
|
|
5d93cf |
Backport of https://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=0c1caa48d3ccb7a5d1343b53aa32fcae45dc2d00
|
|
|
5d93cf |
|
|
|
5d93cf |
diff -ur postgresql-9.2.24/src/backend/executor/execQual.c postgresql-9.2.24-patched/src/backend/executor/execQual.c
|
|
|
5d93cf |
--- postgresql-9.2.24/src/backend/executor/execQual.c 2017-11-06 23:17:39.000000000 +0100
|
|
|
5d93cf |
+++ postgresql-9.2.24-patched/src/backend/executor/execQual.c 2021-06-02 10:05:19.781390954 +0200
|
|
|
5d93cf |
@@ -3212,6 +3212,9 @@
|
|
|
5d93cf |
dims[i] = elem_dims[i - 1];
|
|
|
5d93cf |
lbs[i] = elem_lbs[i - 1];
|
|
|
5d93cf |
}
|
|
|
5d93cf |
+ /* Check subscript owerflow */
|
|
|
5d93cf |
+ (void) ArrayGetNItems(ndims, dims);
|
|
|
5d93cf |
+ ArrayCheckBounds(ndims, dims, lbs);
|
|
|
5d93cf |
|
|
|
5d93cf |
if (havenulls)
|
|
|
5d93cf |
{
|
|
|
5d93cf |
diff -ur postgresql-9.2.24/src/backend/utils/adt/arrayfuncs.c postgresql-9.2.24-patched/src/backend/utils/adt/arrayfuncs.c
|
|
|
5d93cf |
--- postgresql-9.2.24/src/backend/utils/adt/arrayfuncs.c 2017-11-06 23:17:39.000000000 +0100
|
|
|
5d93cf |
+++ postgresql-9.2.24-patched/src/backend/utils/adt/arrayfuncs.c 2021-06-02 10:05:19.785391004 +0200
|
|
|
5d93cf |
@@ -325,7 +325,9 @@
|
|
|
5d93cf |
|
|
|
5d93cf |
/* This checks for overflow of the array dimensions */
|
|
|
5d93cf |
nitems = ArrayGetNItems(ndim, dim);
|
|
|
5d93cf |
- /* Empty array? */
|
|
|
5d93cf |
+ ArrayCheckBounds(ndim, dim, lBound);
|
|
|
5d93cf |
+
|
|
|
5d93cf |
+ /* Empty array? */
|
|
|
5d93cf |
if (nitems == 0)
|
|
|
5d93cf |
PG_RETURN_ARRAYTYPE_P(construct_empty_array(element_type));
|
|
|
5d93cf |
|
|
|
5d93cf |
@@ -1261,24 +1263,11 @@
|
|
|
5d93cf |
dim[i] = pq_getmsgint(buf, 4);
|
|
|
5d93cf |
lBound[i] = pq_getmsgint(buf, 4);
|
|
|
5d93cf |
|
|
|
5d93cf |
- /*
|
|
|
5d93cf |
- * Check overflow of upper bound. (ArrayNItems() below checks that
|
|
|
5d93cf |
- * dim[i] >= 0)
|
|
|
5d93cf |
- */
|
|
|
5d93cf |
- if (dim[i] != 0)
|
|
|
5d93cf |
- {
|
|
|
5d93cf |
- int ub = lBound[i] + dim[i] - 1;
|
|
|
5d93cf |
-
|
|
|
5d93cf |
- if (lBound[i] > ub)
|
|
|
5d93cf |
- ereport(ERROR,
|
|
|
5d93cf |
- (errcode(ERRCODE_NUMERIC_VALUE_OUT_OF_RANGE),
|
|
|
5d93cf |
- errmsg("integer out of range")));
|
|
|
5d93cf |
- }
|
|
|
5d93cf |
}
|
|
|
5d93cf |
|
|
|
5d93cf |
/* This checks for overflow of array dimensions */
|
|
|
5d93cf |
nitems = ArrayGetNItems(ndim, dim);
|
|
|
5d93cf |
-
|
|
|
5d93cf |
+ ArrayCheckBounds(ndim, dim, lBound);
|
|
|
5d93cf |
/*
|
|
|
5d93cf |
* We arrange to look up info about element type, including its receive
|
|
|
5d93cf |
* conversion proc, only once per series of calls, assuming the element
|
|
|
5d93cf |
@@ -2074,7 +2063,7 @@
|
|
|
5d93cf |
(errcode(ERRCODE_ARRAY_SUBSCRIPT_ERROR),
|
|
|
5d93cf |
errmsg("wrong number of array subscripts")));
|
|
|
5d93cf |
|
|
|
5d93cf |
- if (indx[0] < 0 || indx[0] * elmlen >= arraytyplen)
|
|
|
5d93cf |
+ if (indx[0] < 0 || indx[0] >= arraytyplen / elmlen)
|
|
|
5d93cf |
ereport(ERROR,
|
|
|
5d93cf |
(errcode(ERRCODE_ARRAY_SUBSCRIPT_ERROR),
|
|
|
5d93cf |
errmsg("array subscript out of range")));
|
|
|
5d93cf |
@@ -2178,6 +2167,8 @@
|
|
|
5d93cf |
* Compute sizes of items and areas to copy
|
|
|
5d93cf |
*/
|
|
|
5d93cf |
newnitems = ArrayGetNItems(ndim, dim);
|
|
|
5d93cf |
+ /* Check for overflow of the array dimension */
|
|
|
5d93cf |
+ ArrayCheckBounds(ndim, dim, lb);
|
|
|
5d93cf |
if (newhasnulls)
|
|
|
5d93cf |
overheadlen = ARR_OVERHEAD_WITHNULLS(ndim, newnitems);
|
|
|
5d93cf |
else
|
|
|
5d93cf |
@@ -2481,6 +2472,7 @@
|
|
|
5d93cf |
|
|
|
5d93cf |
/* Do this mainly to check for overflow */
|
|
|
5d93cf |
nitems = ArrayGetNItems(ndim, dim);
|
|
|
5d93cf |
+ ArrayCheckBounds(ndim, dim, lb);
|
|
|
5d93cf |
|
|
|
5d93cf |
/*
|
|
|
5d93cf |
* Make sure source array has enough entries. Note we ignore the shape of
|
|
|
5d93cf |
@@ -2919,6 +2911,7 @@
|
|
|
5d93cf |
return construct_empty_array(elmtype);
|
|
|
5d93cf |
|
|
|
5d93cf |
nelems = ArrayGetNItems(ndims, dims);
|
|
|
5d93cf |
+ ArrayCheckBounds(ndims, dims, lbs);
|
|
|
5d93cf |
|
|
|
5d93cf |
/* compute required space */
|
|
|
5d93cf |
nbytes = 0;
|
|
|
5d93cf |
@@ -4965,6 +4958,7 @@
|
|
|
5d93cf |
}
|
|
|
5d93cf |
|
|
|
5d93cf |
nitems = ArrayGetNItems(ndims, dimv);
|
|
|
5d93cf |
+ ArrayCheckBounds(ndims,dimv, lbsv);
|
|
|
5d93cf |
|
|
|
5d93cf |
/* fast track for empty array */
|
|
|
5d93cf |
if (nitems <= 0)
|
|
|
5d93cf |
diff -ur postgresql-9.2.24/src/backend/utils/adt/array_userfuncs.c postgresql-9.2.24-patched/src/backend/utils/adt/array_userfuncs.c
|
|
|
5d93cf |
--- postgresql-9.2.24/src/backend/utils/adt/array_userfuncs.c 2017-11-06 23:17:39.000000000 +0100
|
|
|
5d93cf |
+++ postgresql-9.2.24-patched/src/backend/utils/adt/array_userfuncs.c 2021-06-02 10:05:19.785391004 +0200
|
|
|
5d93cf |
@@ -362,6 +362,7 @@
|
|
|
5d93cf |
|
|
|
5d93cf |
/* Do this mainly for overflow checking */
|
|
|
5d93cf |
nitems = ArrayGetNItems(ndims, dims);
|
|
|
5d93cf |
+ ArrayCheckBounds(ndims, dims, lbs);
|
|
|
5d93cf |
|
|
|
5d93cf |
/* build the result array */
|
|
|
5d93cf |
ndatabytes = ndatabytes1 + ndatabytes2;
|
|
|
5d93cf |
diff -ur postgresql-9.2.24/src/backend/utils/adt/arrayutils.c postgresql-9.2.24-patched/src/backend/utils/adt/arrayutils.c
|
|
|
5d93cf |
--- postgresql-9.2.24/src/backend/utils/adt/arrayutils.c 2017-11-06 23:17:39.000000000 +0100
|
|
|
5d93cf |
+++ postgresql-9.2.24-patched/src/backend/utils/adt/arrayutils.c 2021-06-02 10:05:19.782390966 +0200
|
|
|
5d93cf |
@@ -233,3 +233,29 @@
|
|
|
5d93cf |
|
|
|
5d93cf |
return result;
|
|
|
5d93cf |
}
|
|
|
5d93cf |
+/*
|
|
|
5d93cf |
+ * Verify sanity of proposed lower-bound values for an array
|
|
|
5d93cf |
+ *
|
|
|
5d93cf |
+ * The lower-bound values must not be so large as to cause overflow when
|
|
|
5d93cf |
+ * calculating subscripts, e.g. lower bound 2147483640 with length 10
|
|
|
5d93cf |
+ * must be disallowed. We actually insist that dims[i] + lb[i] be
|
|
|
5d93cf |
+ * computable without overflow, meaning that an array with last subscript
|
|
|
5d93cf |
+ * equal to INT_MAX will be disallowed.
|
|
|
5d93cf |
+ *
|
|
|
5d93cf |
+ * It is assumed that the caller already called ArrayGetNItems, so that
|
|
|
5d93cf |
+ * overflowed (negative) dims[] values have been eliminated.
|
|
|
5d93cf |
+ */
|
|
|
5d93cf |
+void
|
|
|
5d93cf |
+ArrayCheckBounds(int ndim, const int *dims, const int *lb)
|
|
|
5d93cf |
+{
|
|
|
5d93cf |
+ int i;
|
|
|
5d93cf |
+
|
|
|
5d93cf |
+ for (i = 0; i < ndim; i++)
|
|
|
5d93cf |
+ {
|
|
|
5d93cf |
+ if (dims[i] + lb[i] < lb[i])
|
|
|
5d93cf |
+ ereport(ERROR,
|
|
|
5d93cf |
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
|
|
|
5d93cf |
+ errmsg("array lower bound is too large: %d",
|
|
|
5d93cf |
+ lb[i])));
|
|
|
5d93cf |
+ }
|
|
|
5d93cf |
+}
|
|
|
5d93cf |
diff -ur postgresql-9.2.24/src/include/utils/array.h postgresql-9.2.24-patched/src/include/utils/array.h
|
|
|
5d93cf |
--- postgresql-9.2.24/src/include/utils/array.h 2017-11-06 23:17:39.000000000 +0100
|
|
|
5d93cf |
+++ postgresql-9.2.24-patched/src/include/utils/array.h 2021-06-02 10:05:19.713390098 +0200
|
|
|
5d93cf |
@@ -273,7 +273,7 @@
|
|
|
5d93cf |
extern void mda_get_offset_values(int n, int *dist, const int *prod, const int *span);
|
|
|
5d93cf |
extern int mda_next_tuple(int n, int *curr, const int *span);
|
|
|
5d93cf |
extern int32 *ArrayGetIntegerTypmods(ArrayType *arr, int *n);
|
|
|
5d93cf |
-
|
|
|
5d93cf |
+extern void ArrayCheckBounds(int ndim, const int *dims, const int *lb);
|
|
|
5d93cf |
/*
|
|
|
5d93cf |
* prototypes for functions defined in array_userfuncs.c
|
|
|
5d93cf |
*/
|