On Fri, May 15, 2026 at 9:13 AM Chao Li <[email protected]> wrote: > > Hi, > > I just tested “Add COPY (column list) (on_error set_null) option”. While > tracing a normal case, I found a mistake: > > In BeginCopyFrom(), cstate->domain_with_constraint is allocated using the > length of the specified column list, and set using the index in that column > list: > ``` > int attr_count = > list_length(cstate->attnumlist); > > /* > * When data type conversion fails and ON_ERROR is SET_NULL, > we need > * ensure that the input column allow null values. > ExecConstraints() > * will cover most of the cases, but it does not verify domain > * constraints. Therefore, for constrained domains, the null > value > * check must be performed during the initial string-to-datum > * conversion (see CopyFromTextLikeOneRow()). > */ > cstate->domain_with_constraint = palloc0_array(bool, > attr_count); <== allocate with length of column list from SQL > > foreach_int(attno, cstate->attnumlist) > { > int i = > foreach_current_index(attno); > > Form_pg_attribute att = TupleDescAttr(tupDesc, attno > - 1); > > cstate->domain_with_constraint[i] = > DomainHasConstraints(att->atttypid, NULL); <= set with index of column list > from SQL > } > ``` > > However, cstate->domain_with_constraint is read in CopyFromTextLikeOneRow(), > where it is accessed using the actual attribute number: > ``` > /* Loop to read the user attributes on the line. */ > foreach(cur, cstate->attnumlist) > { > int attnum = lfirst_int(cur); > int m = attnum - 1; > > ... > if (!cstate->domain_with_constraint[m] || > ``` > > So, if the column list specified in SQL is shorter than the table’s actual > attribute list, this may cause an out-of-bounds read. > Hi.
This appears to be the same issue as reported here: https://postgr.es/m/cahg+qddej0c0gwji2fnbirzhgzyznpitwc1p5b_-dsnczq-...@mail.gmail.com
