[sqlsmith] Infinite recursion in bitshift
Hi,
sqlsmith just found another crasher:
select bit '1' >> (-2^31)::int;
This is due to an integer overflow in bitshiftright()/bitshiftleft()
leading to them recursively calling each other. Patch attached.
regards,
Andreas
Attachments:
0001-Fix-possible-infinite-recursion-on-bitshift.patchtext/x-diffDownload+12-2
Andreas Seltenreich <seltenreich@gmx.de> writes:
sqlsmith just found another crasher:
select bit '1' >> (-2^31)::int;
Nice catch :-)
This is due to an integer overflow in bitshiftright()/bitshiftleft()
leading to them recursively calling each other. Patch attached.
Seems sane, though I wonder if it'd be better to use -INT_MAX rather
than -VARBITMAXLEN.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Tom Lane writes:
This is due to an integer overflow in bitshiftright()/bitshiftleft()
leading to them recursively calling each other. Patch attached.Seems sane, though I wonder if it'd be better to use -INT_MAX rather
than -VARBITMAXLEN.
I am undecided between those two. -INT_MAX might be a more precise fix
for the problem, but the extra distance to the danger zone was kind of
soothing :-).
regards,
Andreas
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Andreas Seltenreich <seltenreich@gmx.de> writes:
Tom Lane writes:
Seems sane, though I wonder if it'd be better to use -INT_MAX rather
than -VARBITMAXLEN.
I am undecided between those two. -INT_MAX might be a more precise fix
for the problem, but the extra distance to the danger zone was kind of
soothing :-).
Yeah, might as well use the tighter limit.
Poking around in varbit.c, I noticed some other places that were assuming
that a typmod couldn't exceed VARBITMAXLEN. anybit_typmodin() enforces
that, but there are places where a user can shove in an arbitrary integer,
eg
regression=# select "bit"(42, 2147483647);
ERROR: invalid memory alloc request size 18446744073441116169
I fixed those too and pushed it. Thanks for the report!
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Fri, Oct 14, 2016 at 3:31 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Andreas Seltenreich <seltenreich@gmx.de> writes:
Tom Lane writes:
Seems sane, though I wonder if it'd be better to use -INT_MAX rather
than -VARBITMAXLEN.I am undecided between those two. -INT_MAX might be a more precise fix
for the problem, but the extra distance to the danger zone was kind of
soothing :-).Yeah, might as well use the tighter limit.
Poking around in varbit.c, I noticed some other places that were assuming
that a typmod couldn't exceed VARBITMAXLEN. anybit_typmodin() enforces
that, but there are places where a user can shove in an arbitrary integer,
egregression=# select "bit"(42, 2147483647);
ERROR: invalid memory alloc request size 18446744073441116169I fixed those too and pushed it. Thanks for the report!
Curious -- are there real world scenarios where this would happen?
merlin
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Merlin Moncure <mmoncure@gmail.com> writes:
On Fri, Oct 14, 2016 at 3:31 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Poking around in varbit.c, I noticed some other places that were assuming
that a typmod couldn't exceed VARBITMAXLEN.
Curious -- are there real world scenarios where this would happen?
I think you'd have to be intentionally trying to break it. The largest
varbit typmod you're allowed to declare normally is only ~ 80 million.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers