Home > mailing lists

Re: BUG #18273: Incorrect memory access occurs when gist__int index is building on data containing 2^31-1 - Mailing list pgsql-bugs

From	Tom Lane
Subject	Re: BUG #18273: Incorrect memory access occurs when gist__int index is building on data containing 2^31-1
Date	January 7 22:42:39
Msg-id	1636926.1704656559@sss.pgh.pa.us Whole thread Raw
In response to	BUG #18273: Incorrect memory access occurs when gist__int index is building on data containing 2^31-1 (PG Bug reporting form <noreply@postgresql.org>)
List	pgsql-bugs

Tree view

PG Bug reporting form <noreply@postgresql.org> writes:
> As far as I can see, the loop for j shown below:
> Datum
> g_int_decompress(PG_FUNCTION_ARGS)
> {
> ...
>     for (i = 0; i < lenin; i += 2)
>         for (j = din[i]; j <= din[i + 1]; j++)
>             if ((!i) || *(dr - 1) != j)
>                 *dr++ = j;
> overflows when dln[i] == dln[i+1] == 2147483647.

Yeah, you are right.  Probably the simplest fix is to widen j to
int64.  I see that somebody has already int64-ified g_int_compress
and internal_size (else we'd not get this far), but they missed this.

Will fix, thanks for report!

            regards, tom lane

pgsql-bugs by date:

From: Zu-Ming Jiang
Date: 07 January, 22:28:28
Subject: Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163

From: Tom Lane
Date: 07 January, 22:47:29
Subject: Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163

Re: BUG #18273: Incorrect memory access occurs when gist__int index is building on data containing 2^31-1 - Mailing list pgsql-bugs

Previous

Next