From c9ae257e232ab9256bdf867ab9da570c4ab6f10a Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Wed, 11 Aug 2010 19:12:27 +0000 Subject: [PATCH] The sanity check added to array_recv() wa a bit too tight; we must continue to accept an empty array with dimension information. array_send() can output such arrays. Per report from Vladimir Shakhov. --- src/backend/utils/adt/arrayfuncs.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c index 533b77c1cd..02e7a814e9 100644 --- a/src/backend/utils/adt/arrayfuncs.c +++ b/src/backend/utils/adt/arrayfuncs.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/adt/arrayfuncs.c,v 1.164 2010/02/26 02:01:07 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/utils/adt/arrayfuncs.c,v 1.165 2010/08/11 19:12:27 heikki Exp $ * *------------------------------------------------------------------------- */ @@ -1213,17 +1213,21 @@ array_recv(PG_FUNCTION_ARGS) for (i = 0; i < ndim; i++) { - int ub; - dim[i] = pq_getmsgint(buf, 4); lBound[i] = pq_getmsgint(buf, 4); - ub = lBound[i] + dim[i] - 1; - /* overflow? */ - if (lBound[i] > ub) - ereport(ERROR, - (errcode(ERRCODE_NUMERIC_VALUE_OUT_OF_RANGE), - errmsg("integer out of range"))); + /* + * Check overflow of upper bound. (ArrayNItems() below checks that + * dim[i] >= 0) + */ + if (dim[i] != 0) + { + int ub = lBound[i] + dim[i] - 1; + if (lBound[i] > ub) + ereport(ERROR, + (errcode(ERRCODE_NUMERIC_VALUE_OUT_OF_RANGE), + errmsg("integer out of range"))); + } } /* This checks for overflow of array dimensions */ -- 2.40.0