Guard against unexpected dimensions of oidvector/int2vector.
Tom Lane <tgl@sss.pgh.pa.us>
Guard against unexpected dimensions of oidvector/int2vector. These data types are represented like full-fledged arrays, but functions that deal specifically with these types assume that the array is 1-dimensional and contains no nulls. However, there are cast pathways that allow general oid[] or int2[] arrays to be cast to these types, allowing these expectations to be violated. This can be exploited to cause server memory disclosure or SIGSEGV. Fix by installing explicit checks in functions that accept these types. Reported-by: Altan Birler <altan.birler@tum.de> Author: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Noah Misch <noah@leadboat.com> Security: CVE-2026-2003 Backpatch-through: 14
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/access/hash/hashfunc.c | modified | +3 −0 |
| src/backend/access/nbtree/nbtcompare.c | modified | +4 −0 |
| src/backend/utils/adt/format_type.c | modified | +5 −1 |
| src/backend/utils/adt/int.c | modified | +30 −1 |
| src/backend/utils/adt/oid.c | modified | +30 −1 |
| src/include/utils/builtins.h | modified | +1 −0 |
| src/test/regress/expected/arrays.out | modified | +5 −0 |
| src/test/regress/sql/arrays.sql | modified | +4 −0 |