Fix "path" infrastructure bug affecting jsonb_set()

jsonb_set() and other clients of the setPathArray() utility function could get spurious results when an array integer subscript is provided that is not within the range of int. To fix, ensure that the value returned by strtol() within setPathArray() is within the range of int; when it isn't, assume an invalid input in line with existing, similar cases. The path-orientated operators that appeared in PostgreSQL 9.3 and 9.4 do not call setPathArray(), and already independently take this precaution, so no change there. Peter Geoghegan
author: Andrew Dunstan 2015-06-12 23:26:03 +0000
committer: Andrew Dunstan 2015-06-12 23:26:03 +0000
commit: 2271d002d5c305441398e8f7a295f18ec3c132a9 (patch)
tree: 350d417c4ebb8581dc9fab556d3cdda55161e8aa
parent: ae58f1430abb4b0c309c40b377f91bf9d080334b (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/src/backend/utils/adt/jsonfuncs.c b/src/backend/utils/adt/jsonfuncs.c
index c14d3f73fca..13d5b7af2f4 100644
--- a/src/backend/utils/adt/jsonfuncs.c
+++ b/src/backend/utils/adt/jsonfuncs.c
@@ -3814,11 +3814,14 @@ setPathArray(JsonbIterator **it, Datum *path_elems, bool *path_nulls,
 	if (level < path_len && !path_nulls[level])
 	{
 		char	   *c = VARDATA_ANY(path_elems[level]);
+		long		lindex;
 
 		errno = 0;
-		idx = (int) strtol(c, &badp, 10);
-		if (errno != 0 || badp == c)
+		lindex = strtol(c, &badp, 10);
+		if (errno != 0 || badp == c || lindex > INT_MAX || lindex < INT_MIN)
 			idx = nelems;
+		else
+			idx = lindex;
 	}
 	else
 		idx = nelems;
author	Andrew Dunstan	2015-06-12 23:26:03 +0000
committer	Andrew Dunstan	2015-06-12 23:26:03 +0000
commit	2271d002d5c305441398e8f7a295f18ec3c132a9 (patch)
tree	350d417c4ebb8581dc9fab556d3cdda55161e8aa
parent	ae58f1430abb4b0c309c40b377f91bf9d080334b (diff)