granicus.if.org Git - postgresql/commit

author	Andrew Gierth <rhodiumtoad@postgresql.org>
	Fri, 23 Nov 2018 23:56:39 +0000 (23:56 +0000)
committer	Andrew Gierth <rhodiumtoad@postgresql.org>
	Sat, 24 Nov 2018 08:39:58 +0000 (08:39 +0000)
commit	f0bfc7a2b13a6cd48b6cea253b0e9f918e457c6d
tree	da8281645c25c81e39e3d9054abb7279ada737a3	tree \| snapshot
parent	4dc94485f57a56ce2838136cff73bc80265f04c9	commit \| diff

Avoid crashes in contrib/intarray gist__int_ops (bug #15518)

1. Integer overflow in internal_size could result in memory corruption
in decompression since a zero-length array would be allocated and then
written to. This leads to crashes or corruption when traversing an
index which has been populated with sufficiently sparse values. Fix by
using int64 for computations and checking for overflow.

2. Integer overflow in g_int_compress could cause pessimal merge
choices, resulting in unnecessarily large ranges (which would in turn
trigger issue 1 above). Fix by using int64 again.

3. Even without overflow, array sizes could become large enough to
cause unexplained memory allocation errors. Fix by capping the sizes
to a safe limit and report actual errors pointing at gist__intbig_ops
as needed.

4. Large inputs to the compression function always consist of large
runs of consecutive integers, and the compression loop was processing
these one at a time in an O(N^2) manner with a lot of overhead. The
expected runtime of this function could easily exceed 6 months for a
single call as a result. Fix by performing a linear-time first pass,
which reduces the worst case to something on the order of seconds.

Backpatch all the way, since this has been wrong forever.

Per bug #15518 from report from irc user "dymk", analysis and patch by
me.

Discussion: https://postgr.es/m/15518-799e426c3b4f8358@postgresql.org

contrib/intarray/_int_gist.c		diff \| blob \| history
contrib/intarray/_int_tool.c		diff \| blob \| history