Em qui., 6 de jul. de 2023 às 11:37, Daniel Gustafsson <dan...@yesql.se>
escreveu:
> > On 6 Jul 2023, at 16:28, Ranier Vilela <ranier...@gmail.com> wrote:
>
> > The function SH_START_ITERATE can trigger some overflow.
> >
> > See:
> > typedef struct SH_ITERATOR
> > {
> > uint32 cur; /* current element */
> > uint32 end;
> > bool done; /* iterator exhausted? */
> > } SH_ITERATOR;
> >
> > The cur field is uint32 size and currently can be stored a uint64,
> > which obviously does not fit.
>
> - Assert(startelem < SH_MAX_SIZE);
> + Assert(startelem < PG_UINT32_MAX);
>
> I mighe be missing something, but from skimming the current code,
> SH_MAX_SIZE
> is currently defined as:
>
> #define SH_MAX_SIZE (((uint64) PG_UINT32_MAX) + 1)
>
This is Assert, that is, in production this test is not done.
See the comments:
"Search for the first empty element."
If the empty element is not found, startelem has PG_UINT64_MAX value,
which do not fit in uint32.
Can you see this?
regards,
Ranier Vilela
