public inbox for [email protected]
help / color / mirror / Atom feedFrom: Noah Misch <[email protected]>
To: [email protected]
Subject: pgsql: Fix integer overflow in array_agg(), when the array grows too la
Date: Mon, 11 May 2026 12:19:37 +0000
Message-ID: <[email protected]> (raw)
Fix integer overflow in array_agg(), when the array grows too large
If you accumulate many arrays full of NULLs, you could overflow
'nitems', before reaching the MaxAllocSize limit on the allocations.
Add an explicit check that the number of items doesn't grow too large.
With more than MaxArraySize items, getting the final result with
makeArrayResultArr() would fail anyway, so better to error out early.
Reported-by: Xint Code
Author: Heikki Linnakangas <[email protected]>
Reviewed-by: Tom Lane <[email protected]>
Backpatch-through: 14
Security: CVE-2026-6473
Branch
------
REL_18_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/67dd6243dc95df560ff3c31ed5b6e9474d98c4c3
Author: Heikki Linnakangas <[email protected]>
Modified Files
--------------
src/backend/utils/adt/arrayfuncs.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: pgsql: Fix integer overflow in array_agg(), when the array grows too la
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox