mirror of
https://github.com/postgres/postgres.git
synced 2026-04-15 22:10:45 -04:00
d837fb0292
A corrupted string could cause code that iterates with pg_mblen() to overrun its buffer. Fix, by converting all callers to one of the following: 1. Callers with a null-terminated string now use pg_mblen_cstr(), which raises an "illegal byte sequence" error if it finds a terminator in the middle of the sequence. 2. Callers with a length or end pointer now use either pg_mblen_with_len() or pg_mblen_range(), for the same effect, depending on which of the two seems more convenient at each site. 3. A small number of cases pre-validate a string, and can use pg_mblen_unbounded(). The traditional pg_mblen() function and COPYCHAR macro still exist for backward compatibility, but are no longer used by core code and are hereby deprecated. The same applies to the t_isXXX() functions. Security: CVE-2026-2006 Backpatch-through: 14 Co-authored-by: Thomas Munro <thomas.munro@gmail.com> Co-authored-by: Noah Misch <noah@leadboat.com> Reviewed-by: Heikki Linnakangas <hlinnaka@iki.fi> Reported-by: Paul Gerste (as part of zeroday.cloud) Reported-by: Moritz Sanft (as part of zeroday.cloud) |
||
|---|---|---|
| .. | ||
| expected | ||
| sql | ||
| .gitignore | ||
| brinfuncs.c | ||
| btreefuncs.c | ||
| fsmfuncs.c | ||
| ginfuncs.c | ||
| gistfuncs.c | ||
| hashfuncs.c | ||
| heapfuncs.c | ||
| Makefile | ||
| meson.build | ||
| pageinspect--1.0--1.1.sql | ||
| pageinspect--1.1--1.2.sql | ||
| pageinspect--1.2--1.3.sql | ||
| pageinspect--1.3--1.4.sql | ||
| pageinspect--1.4--1.5.sql | ||
| pageinspect--1.5--1.6.sql | ||
| pageinspect--1.5.sql | ||
| pageinspect--1.6--1.7.sql | ||
| pageinspect--1.7--1.8.sql | ||
| pageinspect--1.8--1.9.sql | ||
| pageinspect--1.9--1.10.sql | ||
| pageinspect--1.10--1.11.sql | ||
| pageinspect--1.11--1.12.sql | ||
| pageinspect.control | ||
| pageinspect.h | ||
| rawpage.c | ||