Fw:Re: Fw: ltree_compare in contrib/ltree/ltree_op.c overflows int32 on deep ltree comparisons, returning the wrong sign

-------- 转发邮件信息 --------
发件人：Noah Misch <noah(at)leadboat(dot)com>
发送日期：2026-06-13 08:31:47
收件人："violin0613(at)tju(dot)edu(dot)cn" <violin0613(at)tju(dot)edu(dot)cn>
抄送人：security(at)postgresql(dot)org
主题：Re: Fw: ltree_compare in contrib/ltree/ltree_op.c overflows int32 on deep ltree comparisons, returning the wrong sign
On Mon, May 25, 2026 at 10:58:05PM +0800, violin0613(at)tju(dot)edu(dot)cn wrote:
> PoC
>
> File vuln_001.sql
>
> CREATE EXTENSION IF NOT EXISTS ltree;
> â
> WITH s AS (SELECT 'a'::ltree AS v),
> l AS (SELECT (repeat('a.', 19999) || 'a')::ltree AS v)
> SELECT (l.v > s.v) AS long_gt_short_expected_true,
> (l.v < s.v) AS long_lt_short_expected_false
> FROM s, l;
>
> Process
>
> psql -h /tmp -p 36265 -U postgres -f vuln_001.sql
>
> Results
>
> long_gt_short_expected_true | long_lt_short_expected_false
> -----------------------------+------------------------------
> f | t
>
> Both columns are inverted. long > short returned false, long < short
> returned true.

This is certainly a bug, but it's not a vuln. Please report the bug to
pgsql-bugs(at)postgresql(dot)org(dot)