Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1syFaB-00FOhb-FR for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Oct 2024 19:09:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1syFa9-00B8X6-Qy for pgsql-hackers@arkaria.postgresql.org; Tue, 08 Oct 2024 19:09:17 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1syFa9-00B8Wy-HM for pgsql-hackers@lists.postgresql.org; Tue, 08 Oct 2024 19:09:17 +0000 Received: from mail-pg1-x532.google.com ([2607:f8b0:4864:20::532]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1syFa6-0002Ib-7Y for pgsql-hackers@postgresql.org; Tue, 08 Oct 2024 19:09:16 +0000 Received: by mail-pg1-x532.google.com with SMTP id 41be03b00d2f7-656d8b346d2so3901906a12.2 for ; Tue, 08 Oct 2024 12:09:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728414553; x=1729019353; darn=postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=RKwEsTSXrzbYu46wRLB/KIUMqIWrWIbMS7ZzSWjHsGM=; b=PtC55L+Vsdyy7wD5yj2ATXKgaiFYkEyP/yk3cHaJZqZLzFKvIHojCVG3Qu6E1pgNnF eyS5qnUjS1S6T5DXxjbDiQmT/waNtchjuhwwVDYerfHmLqbWOQ8w79hBDjc+NCMv9Lvx nrVcvhZHuiIGQxu/97AlIpVgAq4UswZey0gNtGMNQChCsBQ8Nip3UIDkKeneFfLPXcWd JJ34SReXW3ruZu251loJm6SNUZDkyJi16i3QRnDhlZXcnNLII0YRhkiVXjpROlFRfI8x sr24VTR69d5J41PjabEg62yup51iIWsk11RPE+ZJqGk+aGCbN6pptzz5j/pHbSJvKQ27 g+vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728414553; x=1729019353; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=RKwEsTSXrzbYu46wRLB/KIUMqIWrWIbMS7ZzSWjHsGM=; b=dYiCOTDk2KaJRf/spJArWXlVpoBmWD0qVbaqfbJmJ3Hdw0p2PTXDZqpDp/l7mlMmsM 6vyVlmlw0j3splPkHCTyS3F2WZlhhi13ASOsOd4vVcPiq07UI9zLrl7yiCAKHynxalCt BGiSHCyX/7pUY22wsBXQX40GNPbPC7Fk+8gNvLDBe3T5ZLohY019BChfdvN80qkklVlP LENn7LccCb7ulhGOdeiOEXH1U7a+q/SzZPSE6TRW95HUM38ATQP6Kmldod4gaYPD60zV 09Zk/6f4IWknWk66VP+J+suFRkbgFRD+M+0JBAKggQk5I0e6SxJp1C7NXvOwCv2+ZoyD e3ag== X-Gm-Message-State: AOJu0Yy3Tw/F64oEtJ7g3WG+LfzKNOQB74FApbg3PIU+SI8jx7fZsuQH gx0FtQeKP6dgrN0wW0aB1k6JeIwmX5m3jSZwnHsf99grO/EY26s3LKG2ikoz4CHuBedAZOe+rBG Tb64HKDF3dHI8k5eYGeNFukrCVa2Fymk5 X-Google-Smtp-Source: AGHT+IFKHTTLMdjGEnNWwfXHiKKPj5hneR3uuh7Al2yqZJzVCDuuZG35uXM1QSGszziUHfzx9LV7sCXvThaRj+Zybb0= X-Received: by 2002:a05:6a21:920d:b0:1d3:5208:1ea6 with SMTP id adf61e73a8af0-1d6dfaef24fmr28007978637.45.1728414552870; Tue, 08 Oct 2024 12:09:12 -0700 (PDT) MIME-Version: 1.0 From: Ranier Vilela Date: Tue, 8 Oct 2024 16:09:00 -0300 Message-ID: Subject: Avoid possible overflow (src/port/bsearch_arg.c) To: Pg Hackers Content-Type: multipart/mixed; boundary="00000000000072ef1c0623fbdf4c" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000072ef1c0623fbdf4c Content-Type: multipart/alternative; boundary="00000000000072ef1b0623fbdf4a" --00000000000072ef1b0623fbdf4a Content-Type: text/plain; charset="UTF-8" Hi. The port function *bsearch_arg* mimics the C function *bsearch*. The API signature is: void * bsearch_arg(const void *key, const void *base0, size_t nmemb, size_t size, int (*compar) (const void *, const void *, void *), void *arg) So, the parameter *nmemb* is size_t. Therefore, a call with nmemb greater than INT_MAX is possible. Internally the code uses the *int* type to iterate through the number of members, which makes overflow possible. Trivial fix attached. best regards, Ranier Vilela --00000000000072ef1b0623fbdf4a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi.

The port function *bsear= ch_arg* mimics the C function
*bsearch*.

The API signature is:
void *
bsearch_arg(const void *key, con= st void *base0,
size_t nmemb, size_t size,
int (*compar) (const= void *, const void *, void *),
void *arg)

S= o, the parameter *nmemb* is size_t.
Therefore, a call with nmemb = greater than INT_MAX is possible.

Internally the c= ode uses the *int* type to iterate through the number of members, which mak= es overflow possible.

Trivial fix attached.
<= div>
best regards,
Ranier Vilela
--00000000000072ef1b0623fbdf4a-- --00000000000072ef1c0623fbdf4c Content-Type: application/octet-stream; name="avoid-possible-overflow-bsearch_arg.patch" Content-Disposition: attachment; filename="avoid-possible-overflow-bsearch_arg.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_m20t84jp0 ZGlmZiAtLWdpdCBhL3NyYy9wb3J0L2JzZWFyY2hfYXJnLmMgYi9zcmMvcG9ydC9ic2VhcmNoX2Fy Zy5jCmluZGV4IGYwZGU0NjdiZWUuLmUwNDQ2YTlmMDcgMTAwNjQ0Ci0tLSBhL3NyYy9wb3J0L2Jz ZWFyY2hfYXJnLmMKKysrIGIvc3JjL3BvcnQvYnNlYXJjaF9hcmcuYwpAQCAtNTgsOCArNTgsOCBA QCBic2VhcmNoX2FyZyhjb25zdCB2b2lkICprZXksIGNvbnN0IHZvaWQgKmJhc2UwLAogCQkJdm9p ZCAqYXJnKQogewogCWNvbnN0IGNoYXIgKmJhc2UgPSAoY29uc3QgY2hhciAqKSBiYXNlMDsKLQlp bnQJCQlsaW0sCi0JCQkJY21wOworCXNpemVfdAkJbGltOworCWludAkJCWNtcDsKIAljb25zdCB2 b2lkICpwOwogCiAJZm9yIChsaW0gPSBubWVtYjsgbGltICE9IDA7IGxpbSA+Pj0gMSkK --00000000000072ef1c0623fbdf4c--