| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
| Cc: | Mats Kindahl <mats(at)timescale(dot)com>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: glibc qsort() vulnerability |
| Date: | 2024-02-08 18:44:02 |
| Message-ID: | 1074897.1707417842@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Nathan Bossart <nathandbossart(at)gmail(dot)com> writes:
> On Thu, Feb 08, 2024 at 02:16:11PM +0100, Mats Kindahl wrote:
>> +/*
>> + * Compare two integers and return -1, 0, or 1 without risking overflow.
>> + *
>> + * This macro is used to avoid running into overflow issues because a simple
>> + * subtraction of the two values when implementing a cmp function for qsort().
>> +*/
>> +#define INT_CMP(lhs,rhs) (((lhs) > (rhs)) - ((lhs) < (rhs)))
> I think we should offer a few different macros, i.e., separate macros for
> int8, uint8, int16, uint16, int32, etc. For int16, we can do something
> faster like
> (int32) (lhs) - (int32) (rhs)
> but for int32, we need to do someting more like what's in the patch.
Are we okay with using macros that (a) have double evaluation hazards
and (b) don't enforce the data types being compared are the same?
I think static inlines might be a safer technology. Perhaps it's
okay given the only expected use is in qsort comparators, but ...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim Jones | 2024-02-08 19:37:38 | Re: Psql meta-command conninfo+ |
| Previous Message | Nathan Bossart | 2024-02-08 18:38:35 | Re: glibc qsort() vulnerability |