| From: | Ranier Vilela <ranier(dot)vf(at)gmail(dot)com> |
|---|---|
| To: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Avoid a possible out-of-bounds access (src/backend/optimizer/util/relnode.c) |
| Date: | 2023-09-23 11:58:29 |
| Message-ID: | CAEudQArQSghBu2gLojg4o_tnHj_x2HcS=+wewL3NJS8z0VnK+g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
Per Coverity.
CID 1518088 (#2 of 2): Improper use of negative value (NEGATIVE_RETURNS)
The function bms_singleton_member can returns a negative number.
/*
* Get a child rel for rel2 with the relids. See above comments.
*/
if (rel2_is_simple)
{
int varno = bms_singleton_member(child_relids2);
child_rel2 = find_base_rel(root, varno);
}
It turns out that in the get_matching_part_pairs function (joinrels.c), the
return of bms_singleton_member is passed to the find_base_rel function,
which cannot receive a negative value.
find_base_rel is protected by an Assertion, which effectively indicates
that the error does not occur in tests and in DEBUG mode.
But this does not change the fact that bms_singleton_member can return a
negative value, which may occur on some production servers.
Fix by changing the Assertion into a real test, to protect the
simple_rel_array array.
best regards,
Ranier Vilela
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Avoid-possible-out-of-bounds-access.patch | application/octet-stream | 476 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Lakhin | 2023-09-23 12:00:00 | Should rolpassword be toastable? |
| Previous Message | Amit Kapila | 2023-09-23 05:58:04 | Re: Invalidate the subscription worker in cases where a user loses their superuser status |