pgsql: Guard against unexpected dimensions of oidvector/int2vector.

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Tom Lane <[email protected]>
To: [email protected]
Subject: pgsql: Guard against unexpected dimensions of oidvector/int2vector.
Date: Mon, 09 Feb 2026 15:15:05 +0000
Message-ID: <[email protected]> (raw)

Guard against unexpected dimensions of oidvector/int2vector.

These data types are represented like full-fledged arrays, but
functions that deal specifically with these types assume that the
array is 1-dimensional and contains no nulls.  However, there are
cast pathways that allow general oid[] or int2[] arrays to be cast
to these types, allowing these expectations to be violated.  This
can be exploited to cause server memory disclosure or SIGSEGV.
Fix by installing explicit checks in functions that accept these
types.

Reported-by: Altan Birler <[email protected]>
Author: Tom Lane <[email protected]>
Reviewed-by: Noah Misch <[email protected]>
Security: CVE-2026-2003
Backpatch-through: 14

Branch
------
REL_17_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/3d160401b65e1d37ca19cf9b78d01aac53ac9605

Modified Files
--------------
src/backend/access/hash/hashfunc.c     |  3 +++
src/backend/access/nbtree/nbtcompare.c |  4 ++++
src/backend/utils/adt/format_type.c    |  6 +++++-
src/backend/utils/adt/int.c            | 31 ++++++++++++++++++++++++++++++-
src/backend/utils/adt/oid.c            | 31 ++++++++++++++++++++++++++++++-
src/include/utils/builtins.h           |  1 +
src/test/regress/expected/arrays.out   |  5 +++++
src/test/regress/sql/arrays.sql        |  4 ++++
8 files changed, 82 insertions(+), 3 deletions(-)

view thread (6+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: pgsql: Guard against unexpected dimensions of oidvector/int2vector.
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox