From 697aebac53b3805196e820cc8eb9c35fee2c08c0 Mon Sep 17 00:00:00 2001 From: Joseph Koshakow Date: Sat, 6 Jul 2024 14:35:00 -0400 Subject: [PATCH 2/4] Remove overflow from array_set_slice This commit removes an overflow from array_set_slice that allows seting absurd slice ranges. --- src/backend/utils/adt/arrayfuncs.c | 10 +++++++++- src/test/regress/expected/arrays.out | 14 ++++++++++++++ src/test/regress/sql/arrays.sql | 9 +++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c index d6641b570d..e81aea4d19 100644 --- a/src/backend/utils/adt/arrayfuncs.c +++ b/src/backend/utils/adt/arrayfuncs.c @@ -2880,6 +2880,8 @@ array_set_slice(Datum arraydatum, for (i = 0; i < nSubscripts; i++) { + int64 newdim; + if (!upperProvided[i] || !lowerProvided[i]) ereport(ERROR, (errcode(ERRCODE_ARRAY_SUBSCRIPT_ERROR), @@ -2887,7 +2889,13 @@ array_set_slice(Datum arraydatum, errdetail("When assigning to a slice of an empty array value," " slice boundaries must be fully specified."))); - dim[i] = 1 + upperIndx[i] - lowerIndx[i]; + newdim = (int64) 1 + (int64) upperIndx[i] - (int64) lowerIndx[i]; + if (unlikely(newdim < (int64) PG_INT32_MIN || newdim > (int64) PG_INT32_MAX)) + ereport(ERROR, + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), + errmsg("array size exceeds the maximum allowed (%d)", + (int) MaxArraySize))); + dim[i] = newdim; lb[i] = lowerIndx[i]; } diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out index 23404982f7..8014a492fc 100644 --- a/src/test/regress/expected/arrays.out +++ b/src/test/regress/expected/arrays.out @@ -2699,3 +2699,17 @@ SELECT array_sample('{1,2,3,4,5,6}'::int[], -1); -- fail ERROR: sample size must be between 0 and 6 SELECT array_sample('{1,2,3,4,5,6}'::int[], 7); --fail ERROR: sample size must be between 0 and 6 +-- Test for overflow in array slicing +CREATE temp table arroverflowtest (i int[]); +INSERT INTO arroverflowtest(i[-2147483648:2147483647]) VALUES ('{}'); +ERROR: array size exceeds the maximum allowed (134217727) +INSERT INTO arroverflowtest(i[1:2147483647]) VALUES ('{}'); +ERROR: array size exceeds the maximum allowed (134217727) +INSERT INTO arroverflowtest(i[2147483647:2147483647]) VALUES ('{}'); +ERROR: source array too small +INSERT INTO arroverflowtest(i[2147483647:2147483647]) VALUES ('{1}'); +ERROR: array lower bound is too large: 2147483647 +INSERT INTO arroverflowtest(i[2147483646:2147483647]) VALUES ('{1,2}'); +ERROR: array lower bound is too large: 2147483646 +INSERT INTO arroverflowtest(i[10:-2147483648]) VALUES ('{}'); +ERROR: array size exceeds the maximum allowed (134217727) diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql index 50aa539fdc..fbadcd9f26 100644 --- a/src/test/regress/sql/arrays.sql +++ b/src/test/regress/sql/arrays.sql @@ -825,3 +825,12 @@ SELECT array_dims(array_sample('[-1:2][2:3]={{1,2},{3,NULL},{5,6},{7,8}}'::int[] SELECT array_dims(array_sample('{{{1,2},{3,NULL}},{{5,6},{7,8}},{{9,10},{11,12}}}'::int[], 2)); SELECT array_sample('{1,2,3,4,5,6}'::int[], -1); -- fail SELECT array_sample('{1,2,3,4,5,6}'::int[], 7); --fail + +-- Test for overflow in array slicing +CREATE temp table arroverflowtest (i int[]); +INSERT INTO arroverflowtest(i[-2147483648:2147483647]) VALUES ('{}'); +INSERT INTO arroverflowtest(i[1:2147483647]) VALUES ('{}'); +INSERT INTO arroverflowtest(i[2147483647:2147483647]) VALUES ('{}'); +INSERT INTO arroverflowtest(i[2147483647:2147483647]) VALUES ('{1}'); +INSERT INTO arroverflowtest(i[2147483646:2147483647]) VALUES ('{1,2}'); +INSERT INTO arroverflowtest(i[10:-2147483648]) VALUES ('{}'); -- 2.39.3 (Apple Git-146)