array_in() and array_recv() need to be more paranoid about validating

their OID parameter.  It was possible to crash the backend with
select array_in('{123}',0,0); because that would bypass the needed step
of initializing the workspace.  These seem to be the only two places
with a problem, though (record_in and record_recv don't have the issue,
and the other array functions aren't depending on user-supplied input).
Back-patch as far as 7.4; 7.3 does not have the bug.

diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c
index 9c9d3541e1e9e2bd227169ef56e4c4fcc0e9f5c5..ac08ffc19fdb9d04050a9433d0892468073fbaee 100644 (file)
--- a/src/backend/utils/adt/arrayfuncs.c
+++ b/src/backend/utils/adt/arrayfuncs.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/backend/utils/adt/arrayfuncs.c,v 1.100.2.3 2005/03/24 21:51:04 tgl Exp $
+ *       $Header: /cvsroot/pgsql/src/backend/utils/adt/arrayfuncs.c,v 1.100.2.4 2005/08/15 19:41:06 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -154,7 +154,7 @@ array_in(PG_FUNCTION_ARGS)
                fcinfo->flinfo->fn_extra = MemoryContextAlloc(fcinfo->flinfo->fn_mcxt,
                                                                                                 sizeof(ArrayMetaState));
                my_extra = (ArrayMetaState *) fcinfo->flinfo->fn_extra;
-               my_extra->element_type = InvalidOid;
+               my_extra->element_type = ~element_type;
        }
 
        if (my_extra->element_type != element_type)
@@ -919,15 +919,6 @@ array_recv(PG_FUNCTION_ARGS)
        }
        nitems = ArrayGetNItems(ndim, dim);
 
-       if (nitems == 0)
-       {
-               /* Return empty array */
-               retval = (ArrayType *) palloc0(sizeof(ArrayType));
-               retval->size = sizeof(ArrayType);
-               retval->elemtype = element_type;
-               PG_RETURN_ARRAYTYPE_P(retval);
-       }
-
        /*
         * We arrange to look up info about element type, including its
         * receive conversion proc, only once per series of calls, assuming
@@ -939,7 +930,7 @@ array_recv(PG_FUNCTION_ARGS)
                fcinfo->flinfo->fn_extra = MemoryContextAlloc(fcinfo->flinfo->fn_mcxt,
                                                                                                 sizeof(ArrayMetaState));
                my_extra = (ArrayMetaState *) fcinfo->flinfo->fn_extra;
-               my_extra->element_type = InvalidOid;
+               my_extra->element_type = ~element_type;
        }
 
        if (my_extra->element_type != element_type)
@@ -958,6 +949,16 @@ array_recv(PG_FUNCTION_ARGS)
                                          fcinfo->flinfo->fn_mcxt);
                my_extra->element_type = element_type;
        }
+
+       if (nitems == 0)
+       {
+               /* Return empty array ... but not till we've validated element_type */
+               retval = (ArrayType *) palloc0(sizeof(ArrayType));
+               retval->size = sizeof(ArrayType);
+               retval->elemtype = element_type;
+               PG_RETURN_ARRAYTYPE_P(retval);
+       }
+
        typlen = my_extra->typlen;
        typbyval = my_extra->typbyval;
        typalign = my_extra->typalign;