public inbox for [email protected]help / color / mirror / Atom feed
pgsql: Guard against unexpected dimensions of oidvector/int2vector. 6+ messages / 1 participants [nested] [flat]
* pgsql: Guard against unexpected dimensions of oidvector/int2vector. @ 2026-02-09 15:15 Tom Lane <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Tom Lane @ 2026-02-09 15:15 UTC (permalink / raw) To: [email protected] Guard against unexpected dimensions of oidvector/int2vector. These data types are represented like full-fledged arrays, but functions that deal specifically with these types assume that the array is 1-dimensional and contains no nulls. However, there are cast pathways that allow general oid[] or int2[] arrays to be cast to these types, allowing these expectations to be violated. This can be exploited to cause server memory disclosure or SIGSEGV. Fix by installing explicit checks in functions that accept these types. Reported-by: Altan Birler <[email protected]> Author: Tom Lane <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2003 Backpatch-through: 14 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/60e7ae41a6987ed05dcfe87bddaccac8e1e93126 Modified Files -------------- src/backend/access/hash/hashfunc.c | 3 +++ src/backend/access/nbtree/nbtcompare.c | 4 ++++ src/backend/utils/adt/format_type.c | 6 +++++- src/backend/utils/adt/int.c | 31 ++++++++++++++++++++++++++++++- src/backend/utils/adt/oid.c | 31 ++++++++++++++++++++++++++++++- src/include/utils/builtins.h | 1 + src/test/regress/expected/arrays.out | 5 +++++ src/test/regress/sql/arrays.sql | 4 ++++ 8 files changed, 82 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: Guard against unexpected dimensions of oidvector/int2vector. @ 2026-02-09 15:15 Tom Lane <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Tom Lane @ 2026-02-09 15:15 UTC (permalink / raw) To: [email protected] Guard against unexpected dimensions of oidvector/int2vector. These data types are represented like full-fledged arrays, but functions that deal specifically with these types assume that the array is 1-dimensional and contains no nulls. However, there are cast pathways that allow general oid[] or int2[] arrays to be cast to these types, allowing these expectations to be violated. This can be exploited to cause server memory disclosure or SIGSEGV. Fix by installing explicit checks in functions that accept these types. Reported-by: Altan Birler <[email protected]> Author: Tom Lane <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2003 Backpatch-through: 14 Branch ------ REL_16_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/595956fc7268b5183c1e0e39673e478febbd008f Modified Files -------------- src/backend/access/hash/hashfunc.c | 2 ++ src/backend/access/nbtree/nbtcompare.c | 3 +++ src/backend/utils/adt/format_type.c | 6 +++++- src/backend/utils/adt/int.c | 31 ++++++++++++++++++++++++++++++- src/backend/utils/adt/oid.c | 31 ++++++++++++++++++++++++++++++- src/include/utils/builtins.h | 1 + src/test/regress/expected/arrays.out | 5 +++++ src/test/regress/sql/arrays.sql | 4 ++++ 8 files changed, 80 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: Guard against unexpected dimensions of oidvector/int2vector. @ 2026-02-09 15:15 Tom Lane <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Tom Lane @ 2026-02-09 15:15 UTC (permalink / raw) To: [email protected] Guard against unexpected dimensions of oidvector/int2vector. These data types are represented like full-fledged arrays, but functions that deal specifically with these types assume that the array is 1-dimensional and contains no nulls. However, there are cast pathways that allow general oid[] or int2[] arrays to be cast to these types, allowing these expectations to be violated. This can be exploited to cause server memory disclosure or SIGSEGV. Fix by installing explicit checks in functions that accept these types. Reported-by: Altan Birler <[email protected]> Author: Tom Lane <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2003 Backpatch-through: 14 Branch ------ REL_18_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/3b6588cd902faa967f61f539f057f9b7643cf6a5 Modified Files -------------- src/backend/access/hash/hashfunc.c | 3 +++ src/backend/access/nbtree/nbtcompare.c | 4 ++++ src/backend/utils/adt/format_type.c | 6 +++++- src/backend/utils/adt/int.c | 31 ++++++++++++++++++++++++++++++- src/backend/utils/adt/oid.c | 31 ++++++++++++++++++++++++++++++- src/include/utils/builtins.h | 1 + src/test/regress/expected/arrays.out | 5 +++++ src/test/regress/sql/arrays.sql | 4 ++++ 8 files changed, 82 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: Guard against unexpected dimensions of oidvector/int2vector. @ 2026-02-09 15:15 Tom Lane <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Tom Lane @ 2026-02-09 15:15 UTC (permalink / raw) To: [email protected] Guard against unexpected dimensions of oidvector/int2vector. These data types are represented like full-fledged arrays, but functions that deal specifically with these types assume that the array is 1-dimensional and contains no nulls. However, there are cast pathways that allow general oid[] or int2[] arrays to be cast to these types, allowing these expectations to be violated. This can be exploited to cause server memory disclosure or SIGSEGV. Fix by installing explicit checks in functions that accept these types. Reported-by: Altan Birler <[email protected]> Author: Tom Lane <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2003 Backpatch-through: 14 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/3d160401b65e1d37ca19cf9b78d01aac53ac9605 Modified Files -------------- src/backend/access/hash/hashfunc.c | 3 +++ src/backend/access/nbtree/nbtcompare.c | 4 ++++ src/backend/utils/adt/format_type.c | 6 +++++- src/backend/utils/adt/int.c | 31 ++++++++++++++++++++++++++++++- src/backend/utils/adt/oid.c | 31 ++++++++++++++++++++++++++++++- src/include/utils/builtins.h | 1 + src/test/regress/expected/arrays.out | 5 +++++ src/test/regress/sql/arrays.sql | 4 ++++ 8 files changed, 82 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: Guard against unexpected dimensions of oidvector/int2vector. @ 2026-02-09 15:15 Tom Lane <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Tom Lane @ 2026-02-09 15:15 UTC (permalink / raw) To: [email protected] Guard against unexpected dimensions of oidvector/int2vector. These data types are represented like full-fledged arrays, but functions that deal specifically with these types assume that the array is 1-dimensional and contains no nulls. However, there are cast pathways that allow general oid[] or int2[] arrays to be cast to these types, allowing these expectations to be violated. This can be exploited to cause server memory disclosure or SIGSEGV. Fix by installing explicit checks in functions that accept these types. Reported-by: Altan Birler <[email protected]> Author: Tom Lane <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2003 Backpatch-through: 14 Branch ------ REL_14_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/b39d3813992d4d1fd50e68a9c5be9ba4306de96c Modified Files -------------- src/backend/access/hash/hashfunc.c | 2 ++ src/backend/access/nbtree/nbtcompare.c | 3 +++ src/backend/utils/adt/format_type.c | 6 +++++- src/backend/utils/adt/int.c | 31 ++++++++++++++++++++++++++++++- src/backend/utils/adt/oid.c | 31 ++++++++++++++++++++++++++++++- src/include/utils/builtins.h | 1 + src/test/regress/expected/arrays.out | 5 +++++ src/test/regress/sql/arrays.sql | 4 ++++ 8 files changed, 80 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: Guard against unexpected dimensions of oidvector/int2vector. @ 2026-02-09 15:15 Tom Lane <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Tom Lane @ 2026-02-09 15:15 UTC (permalink / raw) To: [email protected] Guard against unexpected dimensions of oidvector/int2vector. These data types are represented like full-fledged arrays, but functions that deal specifically with these types assume that the array is 1-dimensional and contains no nulls. However, there are cast pathways that allow general oid[] or int2[] arrays to be cast to these types, allowing these expectations to be violated. This can be exploited to cause server memory disclosure or SIGSEGV. Fix by installing explicit checks in functions that accept these types. Reported-by: Altan Birler <[email protected]> Author: Tom Lane <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2003 Backpatch-through: 14 Branch ------ REL_15_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/429aeaebd16d8c0e5356d7aa77d25c90b9794a6a Modified Files -------------- src/backend/access/hash/hashfunc.c | 2 ++ src/backend/access/nbtree/nbtcompare.c | 3 +++ src/backend/utils/adt/format_type.c | 6 +++++- src/backend/utils/adt/int.c | 31 ++++++++++++++++++++++++++++++- src/backend/utils/adt/oid.c | 31 ++++++++++++++++++++++++++++++- src/include/utils/builtins.h | 1 + src/test/regress/expected/arrays.out | 5 +++++ src/test/regress/sql/arrays.sql | 4 ++++ 8 files changed, 80 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
end of thread, other threads:[~2026-02-09 15:15 UTC | newest] Thread overview: 6+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-02-09 15:15 pgsql: Guard against unexpected dimensions of oidvector/int2vector. Tom Lane <[email protected]> 2026-02-09 15:15 pgsql: Guard against unexpected dimensions of oidvector/int2vector. Tom Lane <[email protected]> 2026-02-09 15:15 pgsql: Guard against unexpected dimensions of oidvector/int2vector. Tom Lane <[email protected]> 2026-02-09 15:15 pgsql: Guard against unexpected dimensions of oidvector/int2vector. Tom Lane <[email protected]> 2026-02-09 15:15 pgsql: Guard against unexpected dimensions of oidvector/int2vector. Tom Lane <[email protected]> 2026-02-09 15:15 pgsql: Guard against unexpected dimensions of oidvector/int2vector. Tom Lane <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox