> On Jan 4, 2026, at 14:28, David Rowley <[email protected]> wrote:
>
> On Sun, 4 Jan 2026 at 16:20, Chao Li <[email protected]> wrote:
>> I noticed an int32 overflow problem in intarray’s compare_val_int4():
>> ```
>> /*
>> * Comparison function for binary search in mcelem array.
>> */
>> static int
>> compare_val_int4(const void *a, const void *b)
>> {
>> int32 key = *(int32 *) a;
>> const Datum *t = (const Datum *) b;
>>
>> return key - DatumGetInt32(*t);
>> }
>> ```
>>
>> As this function is a bsearch comparator, it is supposed to return >0, =0 or
>> <0. However this function uses subtraction with two int32 and returns an
>> int, which may result in an overflow. Say, key is INT32_MAX and *t is -1,
>> the return value will be negative due to overflow.
>
> Nice find. Was that found by a static analyser or by eye?
>
> I can take care of the overflow issue. I feel the test is a step too
> far as it seems unlikely ever to be rebroken, but thanks for the
> SQL-based test case to demonstrate the issue.
>
> David
Hi David,
It was spotted by eye. As a newcomer, I’m trying to get more familiar with the
codebase, so while reviewing other patches I’ve been in the habit of poking
around related files. In this case, the comparison function looked error-prone,
so I verified the overflow scenario with the small program. I didn’t post this
one too quickly because I spent time creating the test. :)
I added the test to demonstrate the issue and to prove the fix. If you think
including the test is unnecessary and prefer to just take the fix, that’s
absolutely fine with me.
Thanks again for taking care of this.
Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/
