| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | bianpan2016(at)163(dot)com |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #14931: Unchecked attnum value in ATExecAlterColumnType() |
| Date: | 2017-11-28 01:37:16 |
| Message-ID: | 22670.1511833036@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
bianpan2016(at)163(dot)com writes:
> File: src/backend/commands/tablecmds.c
> Function: ATExecAlterColumnType
> Line: 8986
> The value of field attTup->attnum may be zero or even negative. However, in
> function ATExecAlterColumnType(), its value is incorrectly assumed to be
> larger than or equal to 1. In an exceptional case, it may lead to a buffer
> overflow bug (see lines 8989 and 8990).
I do not think this is a real problem, because ATPrepAlterColumnType
has already checked for attnum <= 0 (at line 8826, in HEAD). If
ATExecAlterColumnType can't assume that ATPrepAlterColumnType has
already been run, we have more problems than this.
> I also collect a function (i.e. ATExecDropNotNull) in the same file as an
> example, shown as follows:
The division of labor between Prep and Exec functions isn't very uniform
in this file. That may not be a great thing stylistically, but if we
decide it's something to improve, it'd have to be done holistically not
one point at a time.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2017-11-28 01:39:34 | Re: [BUGS] BUG #14866: The generated constraint in the typed table causes the server to crash |
| Previous Message | Tom Lane | 2017-11-28 01:14:21 | Re: BUG #14929: Unchecked AllocateDir() return value in restoreTwoPhaseData() |