Re: oauth integer overflow

> On 23 Apr 2026, at 21:05, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> wrote:
>
> On Thu, Apr 23, 2026 at 11:37 AM Andres Freund <andres(at)anarazel(dot)de> wrote:
>> How about instead making sure that actx->authz.interval never gets big enough
>> to have any chance of overflowing during either the += 5 or the * 1000? It's
>> clearly ok to error out well before that...
>
> It probably is, but I guess the approach depends on whether you prefer
> checking at the time of operation, or attempting to reason about it
> ahead of time in far-away code. With the latter, if additional math is
> added in the future, then either the new overflow hazard gets missed,
> or the ceiling gets lowered again, or the new math gets an overflow
> check when the others don't. I prefer the time-of-use pattern,
> personally.

I am fine with your approach in the attached patch. If you don't like the
static assert you could move it to be out of the way, and expand the comment
for it to what it means if it hits. Just one small nitpick on the patch:

+ * LONG_MAX milliseconds is 24 days on 32-bit platforms,
+ * which for most people is going to be equivalent to a
+ * disabled timer... but avoid overflow in case the

When teading "disabled timer" I interpret that as a timer which is 0 and has no
interval (which might be due to not being a native speaker), but what it
actually describes is an interval which (in practice) never ends. Perhaps it
could be phrased more like "for most people is going to be equivalent to a
never ending interval".

--
Daniel Gustafsson