mirror of
https://github.com/postgres/postgres.git
synced 2026-02-19 02:29:10 -05:00
1e7fe06c10
A corrupted string could cause code that iterates with pg_mblen() to overrun its buffer. Fix, by converting all callers to one of the following: 1. Callers with a null-terminated string now use pg_mblen_cstr(), which raises an "illegal byte sequence" error if it finds a terminator in the middle of the sequence. 2. Callers with a length or end pointer now use either pg_mblen_with_len() or pg_mblen_range(), for the same effect, depending on which of the two seems more convenient at each site. 3. A small number of cases pre-validate a string, and can use pg_mblen_unbounded(). The traditional pg_mblen() function and COPYCHAR macro still exist for backward compatibility, but are no longer used by core code and are hereby deprecated. The same applies to the t_isXXX() functions. Security: CVE-2026-2006 Backpatch-through: 14 Co-authored-by: Thomas Munro <thomas.munro@gmail.com> Co-authored-by: Noah Misch <noah@leadboat.com> Reviewed-by: Heikki Linnakangas <hlinnaka@iki.fi> Reported-by: Paul Gerste (as part of zeroday.cloud) Reported-by: Moritz Sanft (as part of zeroday.cloud) |
||
|---|---|---|
| .. | ||
| data | ||
| expected | ||
| sql | ||
| .gitignore | ||
| _ltree_gist.c | ||
| _ltree_op.c | ||
| crc32.c | ||
| crc32.h | ||
| lquery_op.c | ||
| ltree--1.0--1.1.sql | ||
| ltree--1.1--1.2.sql | ||
| ltree--1.1.sql | ||
| ltree--1.2--1.3.sql | ||
| ltree.control | ||
| ltree.h | ||
| ltree_gist.c | ||
| ltree_io.c | ||
| ltree_op.c | ||
| ltreetest.sql | ||
| ltxtquery_io.c | ||
| ltxtquery_op.c | ||
| Makefile | ||
| meson.build | ||