Fix integer overflow in subvector() function (#530)

`end = start + count` can overflow if `start` is very large. That
leads to a segfault later in the function. Add test case for it.
This commit is contained in:
Heikki Linnakangas
2024-04-24 11:20:16 +03:00
committed by GitHub
parent ad3f811fa3
commit 14b351bc92
6 changed files with 45 additions and 9 deletions

View File

@@ -980,17 +980,32 @@ subvector(PG_FUNCTION_ARGS)
Vector *a = PG_GETARG_VECTOR_P(0);
int32 start = PG_GETARG_INT32(1);
int32 count = PG_GETARG_INT32(2);
int32 end = start + count;
int32 end;
float *ax = a->x;
Vector *result;
int dim;
if (count < 1)
ereport(ERROR,
(errcode(ERRCODE_DATA_EXCEPTION),
errmsg("vector must have at least 1 dimension")));
/*
* Check if (start + count > a->dim), avoiding integer overflow. a->dim
* and count are both positive, so a->dim - count won't overflow.
*/
if (start > a->dim - count)
end = a->dim + 1;
else
end = start + count;
/* Indexing starts at 1, like substring */
if (start < 1)
start = 1;
if (end > a->dim)
end = a->dim + 1;
else if (start > a->dim)
ereport(ERROR,
(errcode(ERRCODE_DATA_EXCEPTION),
errmsg("vector must have at least 1 dimension")));
dim = end - start;
CheckDim(dim);