From af9194568aafc18a7e91714ec0fc82b3bf797045 Mon Sep 17 00:00:00 2001 From: David Christensen Date: Thu, 16 Apr 2026 16:06:18 -0400 Subject: [PATCH] Critical: fix inverted logic here strcmp(str, "") returns 0 (false) when str is empty, meaning the check is inverted: it returns NULL when parsing succeeds and continues when parsing fails. This allows non-numeric strings to pass through as array indices, leading to type confusion and potentially incorrect memory access. The strcmp logic handles most cases correctly (non-numeric strings return NULL, valid integers pass through). However, the empty string "" is accepted as a valid array index of 0: [10, 20, 30] #> '[""]' returns 10 instead of NULL. This occurs because strtol("") sets lindex=0 and str="", so strcmp("", "") returns 0, bypassing the error check. Signed-off-by: David Christensen --- src/backend/utils/adt/agtype_ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/utils/adt/agtype_ops.c b/src/backend/utils/adt/agtype_ops.c index d831447b0..8b6efd1dc 100644 --- a/src/backend/utils/adt/agtype_ops.c +++ b/src/backend/utils/adt/agtype_ops.c @@ -2098,7 +2098,7 @@ static Datum get_agtype_path_all(FunctionCallInfo fcinfo, bool as_text) char* str = NULL; lindex = strtol(cur_key->val.string.val, &str, 10); - if (strcmp(str, "")) + if (strcmp(str, "") != 0) { PG_RETURN_NULL(); }