| From: | Etsuro Fujita <etsuro(dot)fujita(at)gmail(dot)com> |
|---|---|
| To: | Ranier Vilela <ranier(dot)vf(at)gmail(dot)com> |
| Cc: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Avoid a possible out-of-bounds access (src/backend/optimizer/util/relnode.c) |
| Date: | 2023-09-24 04:50:39 |
| Message-ID: | CAPmGK15uitYHTmH=Z7pwvrHKW+08YWZoUYbGy_Ecym54DdLJ6w@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On Sat, Sep 23, 2023 at 9:59 PM Ranier Vilela <ranier(dot)vf(at)gmail(dot)com> wrote:
> Per Coverity.
> CID 1518088 (#2 of 2): Improper use of negative value (NEGATIVE_RETURNS)
>
> The function bms_singleton_member can returns a negative number.
>
> /*
> * Get a child rel for rel2 with the relids. See above comments.
> */
> if (rel2_is_simple)
> {
> int varno = bms_singleton_member(child_relids2);
>
> child_rel2 = find_base_rel(root, varno);
> }
>
> It turns out that in the get_matching_part_pairs function (joinrels.c), the return of bms_singleton_member is passed to the find_base_rel function, which cannot receive a negative value.
>
> find_base_rel is protected by an Assertion, which effectively indicates that the error does not occur in tests and in DEBUG mode.
>
> But this does not change the fact that bms_singleton_member can return a negative value, which may occur on some production servers.
>
> Fix by changing the Assertion into a real test, to protect the simple_rel_array array.
Thanks for the report and patch! I will review the patch.
Best regards,
Etsuro Fujita
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kuwamura Masaki | 2023-09-24 08:22:23 | Re: bug fix and documentation improvement about vacuumdb |
| Previous Message | Michael Paquier | 2023-09-24 01:42:49 | Re: [HACKERS] Should logtape.c blocks be of type long? |