Re: Re[2]: BUG #17561: Server crashes on executing row() with very long argument list

On Mon, Aug 1, 2022 at 6:03 PM Richard Guo <guofenglinux@gmail.com> wrote:

On Mon, Aug 1, 2022 at 3:17 PM Егор Чиндяскин <kyzevan23@mail.ru> wrote:

Thank you, Tom! The fix works for that case, but there is another one.

I got server crashed while executing the following script: 

 

(echo "SELECT * FROM json_to_record('{\"0\":0 ";for((i=1;i<100001;i++));do echo ",\"$i\":$i";done; echo "}') as x("; echo "\"0\" int";for((i=1;i<100001;i++));do echo ",\"$i\" int";done;echo ")") | psql 

Thanks for the report! This is another place that we construct a tupdesc
with more than MaxAttrNumber attributes, via RangeFunctions this time.

Regarding the fix, how about we check the length of coldeflist against
MaxTupleAttributeNumber in transformRangeFunction()?

I mean something like this:

diff --git a/src/backend/parser/parse_clause.c b/src/backend/parser/parse_clause.c
index 5a18107e79..a74a07667d 100644
--- a/src/backend/parser/parse_clause.c
+++ b/src/backend/parser/parse_clause.c
@@ -629,6 +629,15 @@ transformRangeFunction(ParseState *pstate, RangeFunction *r)
         */
        if (r->coldeflist)
        {
+               /* Disallow more columns than will fit in a tuple */
+               if (list_length(r->coldeflist) > MaxTupleAttributeNumber)
+                       ereport(ERROR,
+                                       (errcode(ERRCODE_TOO_MANY_COLUMNS),
+                                        errmsg("Function returning RECORD can have at most %d entries",
+                                                       MaxTupleAttributeNumber),
+                                        parser_errposition(pstate,
+                                                                               exprLocation((Node *) r->coldeflist))));
+
                if (list_length(funcexprs) != 1)
                {
                        if (r->is_rowsfrom)