Re: Server may segfault when using slices on int2vector

On 19.11.2013 16:24, Ronan Dunklau wrote:
> Hello.
>
> While building a query on the pg_index relation, I came accross a bug which
> simplest form is manifested as this:
>
> select
>   a.indkey[1:3],
>   a.indkey[1:2]
> from pg_index as a
>
> This can result either in a segfault, a failed memory allocation or gibberish
> results.

Hmm. int2vectorout expects the int2vector to have a single dimension,
but array_get_slice() returns a zero-dimension array if the result is empty.

I don't think it's safe to allow slicing int2vectors (nor oidvectors).
It seems all too likely that the result violates the limitations of
int2vector. In addition to that segfault, the array returned is 1-based,
not 0-based as we assume for int2vectors. One consequence of that is
that if you COPY the value out in binary format and try to read it back,
you'll get an error.

So I think we should just not allow slicing oidvectors, and throw an
error. You can cast from int2vector to int2[], and slice and dice that
as much as you want, so it's not a big loss in functionality. Another
solution would to provide a specialized slice-function for int2vector
and oidvector, but it's probably not worth the effort.

Thanks for the report!

- Heikki