From: Paul Ramsey <pramsey@cleverelephant.ca>
Date: Thu, 13 Sep 2018 19:25:24 +0000 (+0000)
Subject: Avoid array overflow in ANALYZE (Closes #2985)
X-Git-Tag: 3.0.0alpha1~417
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ff7727d5d0664ef979e51cf7bdbfbf77ec96d883;p=postgis

Avoid array overflow in ANALYZE (Closes #2985)


git-svn-id: http://svn.osgeo.org/postgis/trunk@16785 b70326c6-7e19-0410-871a-916f4a2858ee
---

diff --git a/postgis/gserialized_estimate.c b/postgis/gserialized_estimate.c
index 971705559..a850c30ef 100644
--- a/postgis/gserialized_estimate.c
+++ b/postgis/gserialized_estimate.c
@@ -775,7 +775,7 @@ nd_box_array_distribution(const ND_BOX **nd_boxes, int num_boxes, const ND_BOX *
 	for ( d = 0; d < ndims; d++ )
 	{
 		/* Initialize counts for this dimension */
-		memset(counts, 0, sizeof(int)*NUM_BINS);
+		memset(counts, 0, sizeof(counts));
 
 		smin = extent->min[d];
 		smax = extent->max[d];
@@ -809,8 +809,12 @@ nd_box_array_distribution(const ND_BOX **nd_boxes, int num_boxes, const ND_BOX *
 			}
 
 			/* What bins does this range correspond to? */
-			bmin = NUM_BINS * (minoffset) / swidth;
-			bmax = NUM_BINS * (maxoffset) / swidth;
+			bmin = floor(NUM_BINS * minoffset / swidth);
+			bmax = floor(NUM_BINS * maxoffset / swidth);
+
+			/* Should only happen when maxoffset==swidth */
+			if (bmax >= NUM_BINS)
+				bmax = NUM_BINS-1;
 
 			POSTGIS_DEBUGF(4, " dimension %d, feature %d: bin %d to bin %d", d, i, bmin, bmax);