git.postgresql.org Git - postgresql.git/commitdiff

git projects / postgresql.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ae58f14)
Fix "path" infrastructure bug affecting jsonb_set()
author Andrew Dunstan <andrew@dunslane.net>
2015年6月12日 23:26:03 +0000 (19:26 -0400)
committer Andrew Dunstan <andrew@dunslane.net>
2015年6月12日 23:26:03 +0000 (19:26 -0400)
jsonb_set() and other clients of the setPathArray() utility function
could get spurious results when an array integer subscript is provided
that is not within the range of int.

To fix, ensure that the value returned by strtol() within setPathArray()
is within the range of int; when it isn't, assume an invalid input in
line with existing, similar cases. The path-orientated operators that
appeared in PostgreSQL 9.3 and 9.4 do not call setPathArray(), and
already independently take this precaution, so no change there.

Peter Geoghegan

src/backend/utils/adt/jsonfuncs.c patch | blob | blame | history

diff --git a/src/backend/utils/adt/jsonfuncs.c b/src/backend/utils/adt/jsonfuncs.c
index c14d3f73fca51aceb0e5a4858993d9225eb0edb7..13d5b7af2f47d03f57e33511b54fc1eaddd75ded 100644 (file)
--- a/src/backend/utils/adt/jsonfuncs.c
+++ b/src/backend/utils/adt/jsonfuncs.c
@@ -3814,11 +3814,14 @@ setPathArray(JsonbIterator **it, Datum *path_elems, bool *path_nulls,
if (level < path_len && !path_nulls[level])
{
char *c = VARDATA_ANY(path_elems[level]);
+ long lindex;
errno = 0;
- idx = (int) strtol(c, &badp, 10);
- if (errno != 0 || badp == c)
+ lindex = strtol(c, &badp, 10);
+ if (errno != 0 || badp == c || lindex > INT_MAX || lindex < INT_MIN)
idx = nelems;
+ else
+ idx = lindex;
}
else
idx = nelems;
This is the main PostgreSQL git repository.
RSS Atom

AltStyle によって変換されたページ (->オリジナル) /