Home > mailing lists

Avoid a possible out-of-bounds access (src/backend/optimizer/util/relnode.c) - Mailing list pgsql-hackers

From	Ranier Vilela
Subject	Avoid a possible out-of-bounds access (src/backend/optimizer/util/relnode.c)
Date	September 23, 2023 14:58:29
Msg-id	CAEudQArQSghBu2gLojg4o_tnHj_x2HcS=+wewL3NJS8z0VnK+g@mail.gmail.com Whole thread Raw
Responses	Re: Avoid a possible out-of-bounds access (src/backend/optimizer/util/relnode.c) Re: Avoid a possible out-of-bounds access (src/backend/optimizer/util/relnode.c)
List	pgsql-hackers

Tree view

Hi,

Per Coverity.

CID 1518088 (#2 of 2): Improper use of negative value (NEGATIVE_RETURNS)

The function bms_singleton_member can returns a negative number.

/*
* Get a child rel for rel2 with the relids. See above comments.
*/
if (rel2_is_simple)
{
int varno = bms_singleton_member(child_relids2);

child_rel2 = find_base_rel(root, varno);
}

It turns out that in the get_matching_part_pairs function (joinrels.c), the return of bms_singleton_member is passed to the find_base_rel function, which cannot receive a negative value.

find_base_rel is protected by an Assertion, which effectively indicates that the error does not occur in tests and in DEBUG mode.

But this does not change the fact that bms_singleton_member can return a negative value, which may occur on some production servers.

Fix by changing the Assertion into a real test, to protect the simple_rel_array array.

best regards,

Ranier Vilela

Attachment

0001-Avoid-possible-out-of-bounds-access.patch

pgsql-hackers by date:

From: Amit Kapila
Date: 23 September 2023, 08:58:04
Subject: Re: Invalidate the subscription worker in cases where a user loses their superuser status

From: Alexander Lakhin
Date: 23 September 2023, 15:00:00
Subject: Should rolpassword be toastable?

Avoid a possible out-of-bounds access (src/backend/optimizer/util/relnode.c) - Mailing list pgsql-hackers

Attachment

Previous

Next