| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Varik Matevosyan <varikmatevosyan(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params |
| Date: | 2026-05-04 13:21:00 |
| Message-ID: | 186450.1777900860@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Varik Matevosyan <varikmatevosyan(at)gmail(dot)com> writes:
> Small robustness fix for contrib/xml2/parse_params. The doubling
> of max_params relies on signed-integer overflow wrapping to a value
> that AllocSizeIsValid then rejects, which is both UB and incidental
> safety.
There are many many places in our tree that handle that the same way.
The argument that it's UB is nonsense, because AllocSizeIsValid
rejects values >= 1G, so that it will fail on the iteration before
the integer counter can overflow. (This is indeed exactly why that
limit is 1G and not 2G; see the comment for MaxAllocSize.)
I think this proposal makes parse_params less like other code,
not more so, so I don't think we need extra code here.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Antonin Houska | 2026-05-04 13:24:49 | Re: Adding REPACK [concurrently] |
| Previous Message | Tomas Vondra | 2026-05-04 13:16:34 | Re: Changing the state of data checksums in a running cluster |