git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 9 Feb 2026 14:57:44 +0000 (09:57 -0500)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 9 Feb 2026 14:57:44 +0000 (09:57 -0500)
commit	3d160401b65e1d37ca19cf9b78d01aac53ac9605
tree	61e3bcf8279672eb54342b38d6dcafe7228415f7	tree \| snapshot
parent	dc072a09ad6a0b89d021047b2418f517a430966d	commit \| diff

Guard against unexpected dimensions of oidvector/int2vector.

These data types are represented like full-fledged arrays, but
functions that deal specifically with these types assume that the
array is 1-dimensional and contains no nulls. However, there are
cast pathways that allow general oid[] or int2[] arrays to be cast
to these types, allowing these expectations to be violated. This
can be exploited to cause server memory disclosure or SIGSEGV.
Fix by installing explicit checks in functions that accept these
types.

Reported-by: Altan Birler <altan.birler@tum.de>
Author: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Noah Misch <noah@leadboat.com>
Security: CVE-2026-2003
Backpatch-through: 14

src/backend/access/hash/hashfunc.c		diff \| blob \| blame \| history
src/backend/access/nbtree/nbtcompare.c		diff \| blob \| blame \| history
src/backend/utils/adt/format_type.c		diff \| blob \| blame \| history
src/backend/utils/adt/int.c		diff \| blob \| blame \| history
src/backend/utils/adt/oid.c		diff \| blob \| blame \| history
src/include/utils/builtins.h		diff \| blob \| blame \| history
src/test/regress/expected/arrays.out		diff \| blob \| blame \| history
src/test/regress/sql/arrays.sql		diff \| blob \| blame \| history