Re: BUG #18273: Incorrect memory access occurs when gist__int index is building on data containing 2^31-1

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: exclusion(at)gmail(dot)com
Cc: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #18273: Incorrect memory access occurs when gist__int index is building on data containing 2^31-1
Date: 2024-01-07 19:42:39
Message-ID: 1636926.1704656559@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> As far as I can see, the loop for j shown below:
> Datum
> g_int_decompress(PG_FUNCTION_ARGS)
> {
> ...
> for (i = 0; i < lenin; i += 2)
> for (j = din[i]; j <= din[i + 1]; j++)
> if ((!i) || *(dr - 1) != j)
> *dr++ = j;
> overflows when dln[i] == dln[i+1] == 2147483647.

Yeah, you are right. Probably the simplest fix is to widen j to
int64. I see that somebody has already int64-ified g_int_compress
and internal_size (else we'd not get this far), but they missed this.

Will fix, thanks for report!

regards, tom lane

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2024-01-07 19:47:29 Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163
Previous Message Zu-Ming Jiang 2024-01-07 19:28:28 Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163