Re: BUG #17888: Incorrect memory access in gist__int_ops for an input array with many elements
Alexander Law <exclusion@gmail.com>
From: Alexander Lakhin <exclusion@gmail.com>
To: Richard Guo <guofenglinux@gmail.com>,
Ankit Kumar Pandey <itsankitkp@gmail.com>,
David Rowley <dgrowleyml@gmail.com>, Teodor Sigaev <teodor@sigaev.ru>,
pgsql-bugs@lists.postgresql.org
Date: 2023-05-31T06:00:00Z
Lists: pgsql-bugs
Attachments
- v2-01-gist-int-ops-overflow.patch (text/x-patch) patch v2
- v2-02-gist-int-errcodes.patch (text/x-patch) patch v2
07.04.2023 11:57, Richard Guo wrote: > > On Fri, Apr 7, 2023 at 4:21 AM PG Bug reporting form <noreply@postgresql.org> wrote: > > NOTICE: input array is too big (199 maximum allowed, 1001 current), use > gist__intbig_ops opclass instead > > > In g_int_compress, > > if (ARRNELEMS(r) >= 2 * num_ranges) > elog(NOTICE, "input array is too big (%d maximum allowed, %d current), use gist__intbig_ops opclass instead", > 2 * num_ranges - 1, ARRNELEMS(r)); > > Wondering why elog with NOTICE rather than Error here. The NOTICE appeared there in commit 08ee64ebf5 (from year 2005) in an attempt to get rid of flags (ISLEAFKEY(in)) [1] and probably expressed an intention to play gently (don't break compatibility?). The patch proposed at [2] looks correct to me. Thank you, Ankit! Though I would add a simple case to the intarray regression test and also add errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED) to other two places in _int_gist.c for the sake of consistency. Please look at the patches attached. [1] https://www.postgresql.org/message-id/43786274.3020200%40sigaev.ru [2] https://www.postgresql.org/message-id/796b65c3-57b7-bddf-b0d5-a8afafb8b627%40gmail.com
Commits
-
intarray: Prevent out-of-bound memory reads with gist__int_ops
- ab40b0395a75 11.21 landed
- 6ecc1c02ade5 12.16 landed
- ae9aac64a38f 13.12 landed
- 019a40d61959 14.9 landed
- 4be308edee44 15.4 landed
- c00fbe89dc51 16.0 landed
-
Remove usage of ArrayType->flags field, use pgsql's macros BITS_PER_BYTE instead
- 08ee64ebf5e5 8.2.0 cited