Tighten up overflow check in path_recv, pursuant to code review inspired

by Ken Ashcraft's report.  I think there is no actual bug here since if
the int32 value does wrap a little bit, palloc will still reject it.
Still it's better that the code be obviously correct.

diff --git a/src/backend/utils/adt/geo_ops.c b/src/backend/utils/adt/geo_ops.c
index 5a669d7c9a972abdb76dc83ba25f4dc9f19e2459..58f621a84ae2ef6ba5b8e557888ef53b438219a7 100644 (file)
--- a/src/backend/utils/adt/geo_ops.c
+++ b/src/backend/utils/adt/geo_ops.c
@@ -1383,7 +1383,7 @@ path_recv(PG_FUNCTION_ARGS)
 
        closed = pq_getmsgbyte(buf);
        npts = pq_getmsgint(buf, sizeof(int32));
-       if (npts < 0 || npts >= (int32) (INT_MAX / sizeof(Point)))
+       if (npts < 0 || npts >= (int32) ((INT_MAX - offsetof(PATH, p[0])) / sizeof(Point)))
                ereport(ERROR,
                                (errcode(ERRCODE_INVALID_BINARY_REPRESENTATION),
                                 errmsg("invalid number of points in external \"path\" value")));