Re: BUG #18943: Return value of a function 'xmlBufferCreate' is dereferenced at xpath.c:177 without checking for NUL

On Sun, Jun 08, 2025 at 07:00:25PM +0200, Jim Jones wrote:
> On 08.06.25 17:40, Tom Lane wrote:
>> Our risk-aversion level rises steadily over the course of a release
>> cycle, and is pretty high post beta1. While I think the problems
>> we're trying to fix here are real, they are very low-probability
>> (I don't recall hearing any field reports traceable to this).
>> And you have to remember there is also some risk of introducing
>> new bugs. On balance it's not a change I would back-patch, and
>> at this point v18 is pretty close to being a stable branch so
>> it's not getting fixes we wouldn't back-patch, unless that's
>> because they are in new-in-18 code.

That's something that can be measured with a kind of risk/reward
ratio. Here is the reward for the end-user is low, as we have no
reports of the current code in the field. The risk is in introducing
new issues. And the code is incorrect, so we should fix it.

I've made similar choices in the past around the same time in the
release cycle not backpatching stuff that was an issue in backbranches
still minimal enough to not have to worry about, like 84e4570da923
(there are a few others).
--
Michael