Re: Fix bug of COPY (on_error set_null)

On Fri, May 15, 2026 at 9:13 AM Chao Li <li(dot)evan(dot)chao(at)gmail(dot)com> wrote:
>
> Hi,
>
> I just tested “Add COPY (column list) (on_error set_null) option”. While tracing a normal case, I found a mistake:
>
> In BeginCopyFrom(), cstate->domain_with_constraint is allocated using the length of the specified column list, and set using the index in that column list:
> ```
> int attr_count = list_length(cstate->attnumlist);
>
> /*
> * When data type conversion fails and ON_ERROR is SET_NULL, we need
> * ensure that the input column allow null values. ExecConstraints()
> * will cover most of the cases, but it does not verify domain
> * constraints. Therefore, for constrained domains, the null value
> * check must be performed during the initial string-to-datum
> * conversion (see CopyFromTextLikeOneRow()).
> */
> cstate->domain_with_constraint = palloc0_array(bool, attr_count); <== allocate with length of column list from SQL
>
> foreach_int(attno, cstate->attnumlist)
> {
> int i = foreach_current_index(attno);
>
> Form_pg_attribute att = TupleDescAttr(tupDesc, attno - 1);
>
> cstate->domain_with_constraint[i] = DomainHasConstraints(att->atttypid, NULL); <= set with index of column list from SQL
> }
> ```
>
> However, cstate->domain_with_constraint is read in CopyFromTextLikeOneRow(), where it is accessed using the actual attribute number:
> ```
> /* Loop to read the user attributes on the line. */
> foreach(cur, cstate->attnumlist)
> {
> int attnum = lfirst_int(cur);
> int m = attnum - 1;
>
> ...
> if (!cstate->domain_with_constraint[m] ||
> ```
>
> So, if the column list specified in SQL is shorter than the table’s actual attribute list, this may cause an out-of-bounds read.
>
Hi.

This appears to be the same issue as reported here:
https://postgr.es/m/CAHg+QDdej0c0gWJi2FnbirzhgzyZNPiTwC1P5B_-dSNCzq-91A@mail.gmail.com