On Wed, Feb 04, 2026 at 06:15:11PM +0700, John Naylor wrote: > I logged the offending statement and found > > curchunk: 50 > TOAST_MAX_CHUNK_SIZE: 1996 > sliceoffset: 99994 > chcpystrt 194 > > The expression for the offset to the pointer: > > (curchunk * TOAST_MAX_CHUNK_SIZE - sliceoffset) + chcpystrt > > is zero by way of > > (-194) + 194 > > ...so the "+ (-194)" must get cast to "+ (size_t) (-194)" causing the > overflow. So the parentheses are indeed at fault by forcing > precedence. The entire offset expression is never negative for our > regression tests (nor should it ever be), so it's kind of pointless to > cast any subset of this to a signed type. I went ahead and pushed 0001 > to all versions. Thanks Alexander, for the report and the patch!
Ah. I've seen this one, actually, while playing with the TOAST patch set for 64-bit values. The max chunk size varies as this code would need to switch between two possible sizes, and I've been super puzzled by the fact that I had to switch the code to use an unsigned integer for the declaration of my max_chunk_size, and a signed integer quickly failed. Thanks for the fix! -- Michael
signature.asc
Description: PGP signature
