pg_freespacemap: Fix declaration of pg_freespace(regclass)

This function called generate_series() without enforcing its input
argument types, making possible for an attacker to catch this call, by
defining for example a generate_series(int,bigint).

The internals of pg_freespace(regclass) are changed to force the use of
bigint for the inputs of generate_series().  A more consistent style is
applied for all its hardcoded values, while on it.

Issue introduced in 3f323eba89fb.

Reported-by: Noah Misch
Reviewed-by: Noah Misch
Discussion: https://postgr.es/m/20250106190428[email protected]

diff --git a/contrib/pg_freespacemap/pg_freespacemap--1.2--1.3.sql b/contrib/pg_freespacemap/pg_freespacemap--1.2--1.3.sql
index 7f92c9e92e32e998ee3f422cd3000defc8e077e8..4986109bdafdaeb3e52fdc4d9b5024829d41cd99 100644 (file)
--- a/contrib/pg_freespacemap/pg_freespacemap--1.2--1.3.sql
+++ b/contrib/pg_freespacemap/pg_freespacemap--1.2--1.3.sql
@@ -9,5 +9,5 @@ RETURNS SETOF RECORD
 LANGUAGE SQL PARALLEL SAFE
 BEGIN ATOMIC
   SELECT blkno, pg_freespace($1, blkno) AS avail
-  FROM generate_series(0, pg_relation_size($1) / current_setting('block_size')::bigint - 1) AS blkno;
+  FROM generate_series('0'::bigint, pg_relation_size($1) / current_setting('block_size'::text)::bigint - '1'::bigint) AS blkno;
 END;