From 018d952a44d51fb9e0a186003556aebb69a66217 Mon Sep 17 00:00:00 2001 From: Joseph Koshakow Date: Sat, 6 Jul 2024 14:35:00 -0400 Subject: [PATCH 3/4] Remove overflow from array_set_slice This commit removes an overflow from array_set_slice that allows seting absurd slice ranges. --- src/backend/utils/adt/arrayfuncs.c | 8 +++++++- src/test/regress/expected/arrays.out | 8 ++++++++ src/test/regress/sql/arrays.sql | 6 ++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c index d6641b570d..95e027e9ea 100644 --- a/src/backend/utils/adt/arrayfuncs.c +++ b/src/backend/utils/adt/arrayfuncs.c @@ -2887,7 +2887,13 @@ array_set_slice(Datum arraydatum, errdetail("When assigning to a slice of an empty array value," " slice boundaries must be fully specified."))); - dim[i] = 1 + upperIndx[i] - lowerIndx[i]; + /* dim[i] = 1 + upperIndx[i] - lowerIndx[i]; */ + if (pg_add_s32_overflow(1, upperIndx[i], &dim[i]) || + pg_sub_s32_overflow(dim[i], lowerIndx[i], &dim[i])) + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("array size exceeds the maximum allowed (%d)", + (int) MaxArraySize))); lb[i] = lowerIndx[i]; } diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out index 23404982f7..a2382387e2 100644 --- a/src/test/regress/expected/arrays.out +++ b/src/test/regress/expected/arrays.out @@ -2699,3 +2699,11 @@ SELECT array_sample('{1,2,3,4,5,6}'::int[], -1); -- fail ERROR: sample size must be between 0 and 6 SELECT array_sample('{1,2,3,4,5,6}'::int[], 7); --fail ERROR: sample size must be between 0 and 6 +-- Test for overflow in array slicing +CREATE temp table arroverflowtest (i int[]); +INSERT INTO arroverflowtest(i[-2147483648:2147483647]) VALUES ('{}'); +ERROR: array size exceeds the maximum allowed (134217727) +INSERT INTO arroverflowtest(i[1:2147483647]) VALUES ('{}'); +ERROR: array size exceeds the maximum allowed (134217727) +INSERT INTO arroverflowtest(i[2147483647:2147483647]) VALUES ('{}'); +ERROR: array size exceeds the maximum allowed (134217727) diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql index 50aa539fdc..e9d6737117 100644 --- a/src/test/regress/sql/arrays.sql +++ b/src/test/regress/sql/arrays.sql @@ -825,3 +825,9 @@ SELECT array_dims(array_sample('[-1:2][2:3]={{1,2},{3,NULL},{5,6},{7,8}}'::int[] SELECT array_dims(array_sample('{{{1,2},{3,NULL}},{{5,6},{7,8}},{{9,10},{11,12}}}'::int[], 2)); SELECT array_sample('{1,2,3,4,5,6}'::int[], -1); -- fail SELECT array_sample('{1,2,3,4,5,6}'::int[], 7); --fail + +-- Test for overflow in array slicing +CREATE temp table arroverflowtest (i int[]); +INSERT INTO arroverflowtest(i[-2147483648:2147483647]) VALUES ('{}'); +INSERT INTO arroverflowtest(i[1:2147483647]) VALUES ('{}'); +INSERT INTO arroverflowtest(i[2147483647:2147483647]) VALUES ('{}'); -- 2.34.1