Thread

  1. BUG #18853: integer may overflow in array_user_functions

    PG Bug reporting form <noreply@postgresql.org> — 2025-03-18T08:02:46Z

    The following bug has been logged on the website:
    
    Bug reference:      18853
    Logged by:          ma liangzhu
    Email address:      ma100@hotmail.com
    PostgreSQL version: 17.0
    Operating system:   centos
    Description:        
    
    I noticed that in the array_userfunc.c file, there are many calculations
    involving int32 without overflow checks. 
    
    For example: 
    
    int reqsize = state1->nbytes + state2->nbytes; 
    
    This could potentially cause overflow, leading to issues.
    
    
  2. Re: BUG #18853: integer may overflow in array_user_functions

    Tom Lane <tgl@sss.pgh.pa.us> — 2025-03-18T13:58:05Z

    PG Bug reporting form <noreply@postgresql.org> writes:
    > I noticed that in the array_userfunc.c file, there are many calculations
    > involving int32 without overflow checks. 
    
    > For example: 
    > int reqsize = state1->nbytes + state2->nbytes; 
    
    This particular example is expected not to overflow because Datum
    sizes are restricted to be < 1GB.  There may indeed be live overflow
    hazards in array_userfunc.c (or elsewhere), but you will need a
    considerably more sophisticated analysis to demonstrate it.
    
    			regards, tom lane