|
static void |
|
rsc_update_with_max_blkno(XLogReaderState *record) |
|
{ |
|
RelFileLocator rlocator; |
|
ForkNumber forknum = MAIN_FORKNUM; |
|
BlockNumber blkno; |
|
BlockNumber max_blkno = InvalidBlockNumber; |
|
|
|
for (int i = 0; i <= XLogRecMaxBlockId(record); i++) |
|
{ |
|
ForkNumber _forknum; |
|
|
|
if (!XLogRecHasBlockRefInUse(record, i)) |
|
continue; |
|
|
|
XLogRecGetBlockTag(record, i, &rlocator, &_forknum, &blkno); |
|
Assert(_forknum == forknum); |
|
|
|
if (max_blkno == InvalidBlockNumber) |
|
max_blkno = blkno; |
|
else |
|
max_blkno = Max(max_blkno, blkno); |
|
} |
|
|
|
polar_rsc_update_if_exists(&rlocator, |
|
forknum, |
|
max_blkno + 1, |
I found an Int overflow vulnerability on line 70.
int max_block_id; /* highest block_id in use (-1 if none) */ in the src/include/access/xlogreader.h file, this indicates that the XLogRecMaxBlockId function may return -1, which means that the loop in line 52 will not be executed. The uint32 variable max_blkno is equal to the maximum uint32 variable InvalidBlockNumber, which is defined by the macro: #define InvalidBlockNumber ((BlockNumber) 0xFFFFFFFF) in line 33 of the src/include/storage/block.h file. Therefore, if the loop fails, max_blkno+1 will overflow.
PolarDB-for-PostgreSQL/src/backend/storage/smgr/polar_rsc_replica.c
Lines 44 to 70 in accf02e
I found an Int overflow vulnerability on line 70.
int max_block_id; /* highest block_id in use (-1 if none) */ in the src/include/access/xlogreader.h file, this indicates that the XLogRecMaxBlockId function may return -1, which means that the loop in line 52 will not be executed. The uint32 variable max_blkno is equal to the maximum uint32 variable InvalidBlockNumber, which is defined by the macro: #define InvalidBlockNumber ((BlockNumber) 0xFFFFFFFF) in line 33 of the src/include/storage/block.h file. Therefore, if the loop fails, max_blkno+1 will overflow.