Re: [HACKERS] [sqlsmith] Infinite recursion in bitshift

[Tom Lane]

Merlin Moncure  writes:
> On Fri, Oct 14, 2016 at 3:31 PM, Tom Lane  wrote:
>> Poking around in varbit.c, I noticed some other places that were assuming
>> that a typmod couldn't exceed VARBITMAXLEN.

> Curious -- are there real world scenarios where this would happen?

I think you'd have to be intentionally trying to break it.  The largest
varbit typmod you're allowed to declare normally is only ~ 80 million.

regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [sqlsmith] Infinite recursion in bitshift

[Merlin Moncure]

On Fri, Oct 14, 2016 at 3:31 PM, Tom Lane  wrote:
> Andreas Seltenreich  writes:
>> Tom Lane writes:
>>> Seems sane, though I wonder if it'd be better to use -INT_MAX rather
>>> than -VARBITMAXLEN.
>
>> I am undecided between those two.  -INT_MAX might be a more precise fix
>> for the problem, but the extra distance to the danger zone was kind of
>> soothing :-).
>
> Yeah, might as well use the tighter limit.
>
> Poking around in varbit.c, I noticed some other places that were assuming
> that a typmod couldn't exceed VARBITMAXLEN.  anybit_typmodin() enforces
> that, but there are places where a user can shove in an arbitrary integer,
> eg
>
> regression=# select "bit"(42, 2147483647);
> ERROR:  invalid memory alloc request size 18446744073441116169
>
> I fixed those too and pushed it.  Thanks for the report!

Curious -- are there real world scenarios where this would happen?

merlin


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [sqlsmith] Infinite recursion in bitshift

[Tom Lane]

Andreas Seltenreich  writes:
> Tom Lane writes:
>> Seems sane, though I wonder if it'd be better to use -INT_MAX rather
>> than -VARBITMAXLEN.

> I am undecided between those two.  -INT_MAX might be a more precise fix
> for the problem, but the extra distance to the danger zone was kind of
> soothing :-).

Yeah, might as well use the tighter limit.

Poking around in varbit.c, I noticed some other places that were assuming
that a typmod couldn't exceed VARBITMAXLEN.  anybit_typmodin() enforces
that, but there are places where a user can shove in an arbitrary integer,
eg

regression=# select "bit"(42, 2147483647);
ERROR:  invalid memory alloc request size 18446744073441116169

I fixed those too and pushed it.  Thanks for the report!

regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [sqlsmith] Infinite recursion in bitshift

[Andreas Seltenreich]

Tom Lane writes:

>> This is due to an integer overflow in bitshiftright()/bitshiftleft()
>> leading to them recursively calling each other.  Patch attached.
>
> Seems sane, though I wonder if it'd be better to use -INT_MAX rather
> than -VARBITMAXLEN.

I am undecided between those two.  -INT_MAX might be a more precise fix
for the problem, but the extra distance to the danger zone was kind of
soothing :-).

regards,
Andreas


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [sqlsmith] Infinite recursion in bitshift

[Tom Lane]

Andreas Seltenreich  writes:
> sqlsmith just found another crasher:
> select bit '1' >> (-2^31)::int;

Nice catch :-)

> This is due to an integer overflow in bitshiftright()/bitshiftleft()
> leading to them recursively calling each other.  Patch attached.

Seems sane, though I wonder if it'd be better to use -INT_MAX rather
than -VARBITMAXLEN.

regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers