577 lines
18 KiB
Diff
577 lines
18 KiB
Diff
From d267cea24ea346c739c85bf7bccbd8e8f59da6b3 Mon Sep 17 00:00:00 2001
|
|
From: Tom Lane <tgl@sss.pgh.pa.us>
|
|
Date: Mon, 6 Nov 2023 10:56:43 -0500
|
|
Subject: [PATCH 1/1] Detect integer overflow while computing new array
|
|
dimensions.
|
|
|
|
array_set_element() and related functions allow an array to be
|
|
enlarged by assigning to subscripts outside the current array bounds.
|
|
While these places were careful to check that the new bounds are
|
|
allowable, they neglected to consider the risk of integer overflow
|
|
in computing the new bounds. In edge cases, we could compute new
|
|
bounds that are invalid but get past the subsequent checks,
|
|
allowing bad things to happen. Memory stomps that are potentially
|
|
exploitable for arbitrary code execution are possible, and so is
|
|
disclosure of server memory.
|
|
|
|
To fix, perform the hazardous computations using overflow-detecting
|
|
arithmetic routines, which fortunately exist in all still-supported
|
|
branches.
|
|
|
|
The test cases added for this generate (after patching) errors that
|
|
mention the value of MaxArraySize, which is platform-dependent.
|
|
Rather than introduce multiple expected-files, use psql's VERBOSITY
|
|
parameter to suppress the printing of the message text. v11 psql
|
|
lacks that parameter, so omit the tests in that branch.
|
|
|
|
Our thanks to Pedro Gallegos for reporting this problem.
|
|
|
|
Security: CVE-2023-5869
|
|
Sign-Off-By: Tianyue Lan <tianyue.lan@oracle.com>
|
|
|
|
---
|
|
src/backend/utils/adt/arrayfuncs.c | 85 ++++++++++++++++++++++------
|
|
src/backend/utils/adt/arrayutils.c | 6 --
|
|
src/include/utils/array.h | 7 +++
|
|
src/test/regress/expected/arrays.out | 17 ++++++
|
|
src/test/regress/sql/arrays.sql | 19 +++++++
|
|
src/include/common/int.h | 273 +++++++++++++++++++++++++++++++++++++++
|
|
create mode 100644 src/include/common/int.h
|
|
6 files changed, 383 insertions(+), 24 deletions(-)
|
|
|
|
diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c
|
|
index 553c517..7363893 100644
|
|
--- a/src/backend/utils/adt/arrayfuncs.c
|
|
+++ b/src/backend/utils/adt/arrayfuncs.c
|
|
@@ -22,6 +22,7 @@
|
|
|
|
#include "access/htup_details.h"
|
|
#include "catalog/pg_type.h"
|
|
+#include "common/int.h"
|
|
#include "funcapi.h"
|
|
#include "libpq/pqformat.h"
|
|
#include "utils/array.h"
|
|
@@ -2309,22 +2310,38 @@ array_set_element(Datum arraydatum,
|
|
addedbefore = addedafter = 0;
|
|
|
|
/*
|
|
- * Check subscripts
|
|
+ * Check subscripts. We assume the existing subscripts passed
|
|
+ * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without
|
|
+ * overflow. But we must beware of other overflows in our calculations of
|
|
+ * new dim[] values.
|
|
*/
|
|
if (ndim == 1)
|
|
{
|
|
if (indx[0] < lb[0])
|
|
{
|
|
- addedbefore = lb[0] - indx[0];
|
|
- dim[0] += addedbefore;
|
|
+ /* addedbefore = lb[0] - indx[0]; */
|
|
+ /* dim[0] += addedbefore; */
|
|
+ if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) ||
|
|
+ pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
|
|
+ ereport(ERROR,
|
|
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
|
|
+ errmsg("array size exceeds the maximum allowed (%d)",
|
|
+ (int) MaxArraySize)));
|
|
lb[0] = indx[0];
|
|
if (addedbefore > 1)
|
|
newhasnulls = true; /* will insert nulls */
|
|
}
|
|
if (indx[0] >= (dim[0] + lb[0]))
|
|
{
|
|
- addedafter = indx[0] - (dim[0] + lb[0]) + 1;
|
|
- dim[0] += addedafter;
|
|
+ /* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */
|
|
+ /* dim[0] += addedafter; */
|
|
+ if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) ||
|
|
+ pg_add_s32_overflow(addedafter, 1, &addedafter) ||
|
|
+ pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
|
|
+ ereport(ERROR,
|
|
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
|
|
+ errmsg("array size exceeds the maximum allowed (%d)",
|
|
+ (int) MaxArraySize)));
|
|
if (addedafter > 1)
|
|
newhasnulls = true; /* will insert nulls */
|
|
}
|
|
@@ -2568,14 +2585,23 @@ array_set_element_expanded(Datum arraydatum,
|
|
addedbefore = addedafter = 0;
|
|
|
|
/*
|
|
- * Check subscripts (this logic matches original array_set_element)
|
|
+ * Check subscripts (this logic must match array_set_element). We assume
|
|
+ * the existing subscripts passed ArrayCheckBounds, so that dim[i] + lb[i]
|
|
+ * can be computed without overflow. But we must beware of other
|
|
+ * overflows in our calculations of new dim[] values.
|
|
*/
|
|
if (ndim == 1)
|
|
{
|
|
if (indx[0] < lb[0])
|
|
{
|
|
- addedbefore = lb[0] - indx[0];
|
|
- dim[0] += addedbefore;
|
|
+ /* addedbefore = lb[0] - indx[0]; */
|
|
+ /* dim[0] += addedbefore; */
|
|
+ if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) ||
|
|
+ pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
|
|
+ ereport(ERROR,
|
|
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
|
|
+ errmsg("array size exceeds the maximum allowed (%d)",
|
|
+ (int) MaxArraySize)));
|
|
lb[0] = indx[0];
|
|
dimschanged = true;
|
|
if (addedbefore > 1)
|
|
@@ -2583,8 +2609,15 @@ array_set_element_expanded(Datum arraydatum,
|
|
}
|
|
if (indx[0] >= (dim[0] + lb[0]))
|
|
{
|
|
- addedafter = indx[0] - (dim[0] + lb[0]) + 1;
|
|
- dim[0] += addedafter;
|
|
+ /* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */
|
|
+ /* dim[0] += addedafter; */
|
|
+ if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) ||
|
|
+ pg_add_s32_overflow(addedafter, 1, &addedafter) ||
|
|
+ pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
|
|
+ ereport(ERROR,
|
|
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
|
|
+ errmsg("array size exceeds the maximum allowed (%d)",
|
|
+ (int) MaxArraySize)));
|
|
dimschanged = true;
|
|
if (addedafter > 1)
|
|
newhasnulls = true; /* will insert nulls */
|
|
@@ -2866,7 +2899,10 @@ array_set_slice(Datum arraydatum,
|
|
addedbefore = addedafter = 0;
|
|
|
|
/*
|
|
- * Check subscripts
|
|
+ * Check subscripts. We assume the existing subscripts passed
|
|
+ * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without
|
|
+ * overflow. But we must beware of other overflows in our calculations of
|
|
+ * new dim[] values.
|
|
*/
|
|
if (ndim == 1)
|
|
{
|
|
@@ -2881,18 +2917,31 @@ array_set_slice(Datum arraydatum,
|
|
errmsg("upper bound cannot be less than lower bound")));
|
|
if (lowerIndx[0] < lb[0])
|
|
{
|
|
- if (upperIndx[0] < lb[0] - 1)
|
|
- newhasnulls = true; /* will insert nulls */
|
|
- addedbefore = lb[0] - lowerIndx[0];
|
|
- dim[0] += addedbefore;
|
|
+ /* addedbefore = lb[0] - lowerIndx[0]; */
|
|
+ /* dim[0] += addedbefore; */
|
|
+ if (pg_sub_s32_overflow(lb[0], lowerIndx[0], &addedbefore) ||
|
|
+ pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
|
|
+ ereport(ERROR,
|
|
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
|
|
+ errmsg("array size exceeds the maximum allowed (%d)",
|
|
+ (int) MaxArraySize)));
|
|
lb[0] = lowerIndx[0];
|
|
+ if (addedbefore > 1)
|
|
+ newhasnulls = true; /* will insert nulls */
|
|
}
|
|
if (upperIndx[0] >= (dim[0] + lb[0]))
|
|
{
|
|
- if (lowerIndx[0] > (dim[0] + lb[0]))
|
|
+ /* addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; */
|
|
+ /* dim[0] += addedafter; */
|
|
+ if (pg_sub_s32_overflow(upperIndx[0], dim[0] + lb[0], &addedafter) ||
|
|
+ pg_add_s32_overflow(addedafter, 1, &addedafter) ||
|
|
+ pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
|
|
+ ereport(ERROR,
|
|
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
|
|
+ errmsg("array size exceeds the maximum allowed (%d)",
|
|
+ (int) MaxArraySize)));
|
|
+ if (addedafter > 1)
|
|
newhasnulls = true; /* will insert nulls */
|
|
- addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1;
|
|
- dim[0] += addedafter;
|
|
}
|
|
}
|
|
else
|
|
diff --git a/src/backend/utils/adt/arrayutils.c b/src/backend/utils/adt/arrayutils.c
|
|
index f7c6a51..eb5f2a0 100644
|
|
--- a/src/backend/utils/adt/arrayutils.c
|
|
+++ b/src/backend/utils/adt/arrayutils.c
|
|
@@ -63,10 +63,6 @@ ArrayGetOffset0(int n, const int *tup, const int *scale)
|
|
* This must do overflow checking, since it is used to validate that a user
|
|
* dimensionality request doesn't overflow what we can handle.
|
|
*
|
|
- * We limit array sizes to at most about a quarter billion elements,
|
|
- * so that it's not necessary to check for overflow in quite so many
|
|
- * places --- for instance when palloc'ing Datum arrays.
|
|
- *
|
|
* The multiplication overflow check only works on machines that have int64
|
|
* arithmetic, but that is nearly all platforms these days, and doing check
|
|
* divides for those that don't seems way too expensive.
|
|
@@ -77,8 +73,6 @@ ArrayGetNItems(int ndim, const int *dims)
|
|
int32 ret;
|
|
int i;
|
|
|
|
-#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
|
|
-
|
|
if (ndim <= 0)
|
|
return 0;
|
|
ret = 1;
|
|
diff --git a/src/include/utils/array.h b/src/include/utils/array.h
|
|
index 905f6b0..3e4c09d 100644
|
|
--- a/src/include/utils/array.h
|
|
+++ b/src/include/utils/array.h
|
|
@@ -65,6 +65,13 @@
|
|
#include "utils/expandeddatum.h"
|
|
|
|
|
|
+/*
|
|
+ * Maximum number of elements in an array. We limit this to at most about a
|
|
+ * quarter billion elements, so that it's not necessary to check for overflow
|
|
+ * in quite so many places --- for instance when palloc'ing Datum arrays.
|
|
+ */
|
|
+#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
|
|
+
|
|
/*
|
|
* Arrays are varlena objects, so must meet the varlena convention that
|
|
* the first int32 of the object contains the total object size in bytes.
|
|
diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out
|
|
index c730563..e4ec394 100644
|
|
--- a/src/test/regress/expected/arrays.out
|
|
+++ b/src/test/regress/expected/arrays.out
|
|
@@ -1347,6 +1347,23 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
|
|
-- then you didn't get an indexscan plan, and something is busted.
|
|
reset enable_seqscan;
|
|
reset enable_bitmapscan;
|
|
+-- test subscript overflow detection
|
|
+-- The normal error message includes a platform-dependent limit,
|
|
+-- so suppress it to avoid needing multiple expected-files.
|
|
+\set VERBOSITY terse
|
|
+insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
|
|
+update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
|
|
+ERROR: array size exceeds the maximum allowed (134217727)
|
|
+update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
|
|
+ERROR: array size exceeds the maximum allowed (134217727)
|
|
+-- also exercise the expanded-array case
|
|
+do $$ declare a int[];
|
|
+begin
|
|
+ a := '[-2147483648:-2147483647]={1,2}'::int[];
|
|
+ a[2147483647] := 42;
|
|
+end $$;
|
|
+ERROR: array size exceeds the maximum allowed (134217727)
|
|
+\set VERBOSITY default
|
|
-- test [not] (like|ilike) (any|all) (...)
|
|
select 'foo' like any (array['%a', '%o']); -- t
|
|
?column?
|
|
diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql
|
|
index 25dd4e2..4ad6e55 100644
|
|
--- a/src/test/regress/sql/arrays.sql
|
|
+++ b/src/test/regress/sql/arrays.sql
|
|
@@ -407,6 +407,25 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
|
|
reset enable_seqscan;
|
|
reset enable_bitmapscan;
|
|
|
|
+-- test subscript overflow detection
|
|
+
|
|
+-- The normal error message includes a platform-dependent limit,
|
|
+-- so suppress it to avoid needing multiple expected-files.
|
|
+\set VERBOSITY terse
|
|
+
|
|
+insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
|
|
+update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
|
|
+update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
|
|
+
|
|
+-- also exercise the expanded-array case
|
|
+do $$ declare a int[];
|
|
+begin
|
|
+ a := '[-2147483648:-2147483647]={1,2}'::int[];
|
|
+ a[2147483647] := 42;
|
|
+end $$;
|
|
+
|
|
+\set VERBOSITY default
|
|
+
|
|
-- test [not] (like|ilike) (any|all) (...)
|
|
select 'foo' like any (array['%a', '%o']); -- t
|
|
select 'foo' like any (array['%a', '%b']); -- f
|
|
|
|
diff --git a/src/include/common/int.h b/src/include/common/int.h
|
|
new file mode 100644
|
|
index 0000000..d754798
|
|
--- /dev/null
|
|
+++ b/src/include/common/int.h
|
|
@@ -0,0 +1,273 @@
|
|
+/*-------------------------------------------------------------------------
|
|
+ *
|
|
+ * int.h
|
|
+ * Routines to perform integer math, while checking for overflows.
|
|
+ *
|
|
+ * The routines in this file are intended to be well defined C, without
|
|
+ * relying on compiler flags like -fwrapv.
|
|
+ *
|
|
+ * To reduce the overhead of these routines try to use compiler intrinsics
|
|
+ * where available. That's not that important for the 16, 32 bit cases, but
|
|
+ * the 64 bit cases can be considerably faster with intrinsics. In case no
|
|
+ * intrinsics are available 128 bit math is used where available.
|
|
+ *
|
|
+ * Copyright (c) 2017-2019, PostgreSQL Global Development Group
|
|
+ *
|
|
+ * src/include/common/int.h
|
|
+ *
|
|
+ *-------------------------------------------------------------------------
|
|
+ */
|
|
+#ifndef COMMON_INT_H
|
|
+#define COMMON_INT_H
|
|
+
|
|
+/*
|
|
+ * If a + b overflows, return true, otherwise store the result of a + b into
|
|
+ * *result. The content of *result is implementation defined in case of
|
|
+ * overflow.
|
|
+ */
|
|
+static inline bool
|
|
+pg_add_s16_overflow(int16 a, int16 b, int16 *result)
|
|
+{
|
|
+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
|
|
+ return __builtin_add_overflow(a, b, result);
|
|
+#else
|
|
+ int32 res = (int32) a + (int32) b;
|
|
+
|
|
+ if (res > PG_INT16_MAX || res < PG_INT16_MIN)
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = (int16) res;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
+/*
|
|
+ * If a - b overflows, return true, otherwise store the result of a - b into
|
|
+ * *result. The content of *result is implementation defined in case of
|
|
+ * overflow.
|
|
+ */
|
|
+static inline bool
|
|
+pg_sub_s16_overflow(int16 a, int16 b, int16 *result)
|
|
+{
|
|
+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
|
|
+ return __builtin_sub_overflow(a, b, result);
|
|
+#else
|
|
+ int32 res = (int32) a - (int32) b;
|
|
+
|
|
+ if (res > PG_INT16_MAX || res < PG_INT16_MIN)
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = (int16) res;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
+/*
|
|
+ * If a * b overflows, return true, otherwise store the result of a * b into
|
|
+ * *result. The content of *result is implementation defined in case of
|
|
+ * overflow.
|
|
+ */
|
|
+static inline bool
|
|
+pg_mul_s16_overflow(int16 a, int16 b, int16 *result)
|
|
+{
|
|
+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
|
|
+ return __builtin_mul_overflow(a, b, result);
|
|
+#else
|
|
+ int32 res = (int32) a * (int32) b;
|
|
+
|
|
+ if (res > PG_INT16_MAX || res < PG_INT16_MIN)
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = (int16) res;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
+/*
|
|
+ * If a + b overflows, return true, otherwise store the result of a + b into
|
|
+ * *result. The content of *result is implementation defined in case of
|
|
+ * overflow.
|
|
+ */
|
|
+static inline bool
|
|
+pg_add_s32_overflow(int32 a, int32 b, int32 *result)
|
|
+{
|
|
+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
|
|
+ return __builtin_add_overflow(a, b, result);
|
|
+#else
|
|
+ int64 res = (int64) a + (int64) b;
|
|
+
|
|
+ if (res > PG_INT32_MAX || res < PG_INT32_MIN)
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = (int32) res;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
+/*
|
|
+ * If a - b overflows, return true, otherwise store the result of a - b into
|
|
+ * *result. The content of *result is implementation defined in case of
|
|
+ * overflow.
|
|
+ */
|
|
+static inline bool
|
|
+pg_sub_s32_overflow(int32 a, int32 b, int32 *result)
|
|
+{
|
|
+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
|
|
+ return __builtin_sub_overflow(a, b, result);
|
|
+#else
|
|
+ int64 res = (int64) a - (int64) b;
|
|
+
|
|
+ if (res > PG_INT32_MAX || res < PG_INT32_MIN)
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = (int32) res;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
+/*
|
|
+ * If a * b overflows, return true, otherwise store the result of a * b into
|
|
+ * *result. The content of *result is implementation defined in case of
|
|
+ * overflow.
|
|
+ */
|
|
+static inline bool
|
|
+pg_mul_s32_overflow(int32 a, int32 b, int32 *result)
|
|
+{
|
|
+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
|
|
+ return __builtin_mul_overflow(a, b, result);
|
|
+#else
|
|
+ int64 res = (int64) a * (int64) b;
|
|
+
|
|
+ if (res > PG_INT32_MAX || res < PG_INT32_MIN)
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = (int32) res;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
+/*
|
|
+ * If a + b overflows, return true, otherwise store the result of a + b into
|
|
+ * *result. The content of *result is implementation defined in case of
|
|
+ * overflow.
|
|
+ */
|
|
+static inline bool
|
|
+pg_add_s64_overflow(int64 a, int64 b, int64 *result)
|
|
+{
|
|
+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
|
|
+ return __builtin_add_overflow(a, b, result);
|
|
+#elif defined(HAVE_INT128)
|
|
+ int128 res = (int128) a + (int128) b;
|
|
+
|
|
+ if (res > PG_INT64_MAX || res < PG_INT64_MIN)
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = (int64) res;
|
|
+ return false;
|
|
+#else
|
|
+ if ((a > 0 && b > 0 && a > PG_INT64_MAX - b) ||
|
|
+ (a < 0 && b < 0 && a < PG_INT64_MIN - b))
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = a + b;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
+/*
|
|
+ * If a - b overflows, return true, otherwise store the result of a - b into
|
|
+ * *result. The content of *result is implementation defined in case of
|
|
+ * overflow.
|
|
+ */
|
|
+static inline bool
|
|
+pg_sub_s64_overflow(int64 a, int64 b, int64 *result)
|
|
+{
|
|
+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
|
|
+ return __builtin_sub_overflow(a, b, result);
|
|
+#elif defined(HAVE_INT128)
|
|
+ int128 res = (int128) a - (int128) b;
|
|
+
|
|
+ if (res > PG_INT64_MAX || res < PG_INT64_MIN)
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = (int64) res;
|
|
+ return false;
|
|
+#else
|
|
+ if ((a < 0 && b > 0 && a < PG_INT64_MIN + b) ||
|
|
+ (a > 0 && b < 0 && a > PG_INT64_MAX + b))
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = a - b;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
+/*
|
|
+ * If a * b overflows, return true, otherwise store the result of a * b into
|
|
+ * *result. The content of *result is implementation defined in case of
|
|
+ * overflow.
|
|
+ */
|
|
+static inline bool
|
|
+pg_mul_s64_overflow(int64 a, int64 b, int64 *result)
|
|
+{
|
|
+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
|
|
+ return __builtin_mul_overflow(a, b, result);
|
|
+#elif defined(HAVE_INT128)
|
|
+ int128 res = (int128) a * (int128) b;
|
|
+
|
|
+ if (res > PG_INT64_MAX || res < PG_INT64_MIN)
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = (int64) res;
|
|
+ return false;
|
|
+#else
|
|
+ /*
|
|
+ * Overflow can only happen if at least one value is outside the range
|
|
+ * sqrt(min)..sqrt(max) so check that first as the division can be quite a
|
|
+ * bit more expensive than the multiplication.
|
|
+ *
|
|
+ * Multiplying by 0 or 1 can't overflow of course and checking for 0
|
|
+ * separately avoids any risk of dividing by 0. Be careful about dividing
|
|
+ * INT_MIN by -1 also, note reversing the a and b to ensure we're always
|
|
+ * dividing it by a positive value.
|
|
+ *
|
|
+ */
|
|
+ if ((a > PG_INT32_MAX || a < PG_INT32_MIN ||
|
|
+ b > PG_INT32_MAX || b < PG_INT32_MIN) &&
|
|
+ a != 0 && a != 1 && b != 0 && b != 1 &&
|
|
+ ((a > 0 && b > 0 && a > PG_INT64_MAX / b) ||
|
|
+ (a > 0 && b < 0 && b < PG_INT64_MIN / a) ||
|
|
+ (a < 0 && b > 0 && a < PG_INT64_MIN / b) ||
|
|
+ (a < 0 && b < 0 && a < PG_INT64_MAX / b)))
|
|
+ {
|
|
+ *result = 0x5EED; /* to avoid spurious warnings */
|
|
+ return true;
|
|
+ }
|
|
+ *result = a * b;
|
|
+ return false;
|
|
+#endif
|
|
+}
|
|
+
|
|
+#endif /* COMMON_INT_H */
|
|
--
|
|
2.39.3
|
|
|