Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wFWDE-005F91-2N for pgsql-bugs@arkaria.postgresql.org; Wed, 22 Apr 2026 11:57:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wFWDD-00DYZ5-1z for pgsql-bugs@arkaria.postgresql.org; Wed, 22 Apr 2026 11:57:47 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wFWDD-00DYYw-0f for pgsql-bugs@lists.postgresql.org; Wed, 22 Apr 2026 11:57:47 +0000 Received: from forwardcorp1d.mail.yandex.net ([178.154.239.200]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wFWD8-00000002FNv-05lP for pgsql-bugs@lists.postgresql.org; Wed, 22 Apr 2026 11:57:46 +0000 Received: from mail-nwsmtp-smtp-corp-main-68.klg.yp-c.yandex.net (mail-nwsmtp-smtp-corp-main-68.klg.yp-c.yandex.net [IPv6:2a02:6b8:c42:94a9:0:640:a3fa:0]) by forwardcorp1d.mail.yandex.net (Yandex) with ESMTPS id D7D05806D8; Wed, 22 Apr 2026 14:57:37 +0300 (MSK) Received: from smtpclient.apple (unknown [2a02:6bf:8080:c90::1:29]) by mail-nwsmtp-smtp-corp-main-68.klg.yp-c.yandex.net (smtpcorp) with ESMTPSA id avRDfX0Km0U0-nURzPCjp; Wed, 22 Apr 2026 14:57:37 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1776859057; bh=zd3pfXgxKXavjo/QLVZcbdRVuItfPmURRaduo1NE2zc=; h=Message-Id:To:Date:References:Cc:In-Reply-To:From:Subject; b=nVLt63ACfNUxnnIxtyWM1PZumXla6+HDFDa2HAYdBvrLlYCNAtM7G5y1TUIJ9AKMB 1j2hWyJ8/tW3GXI7yQGxlRKHAhCdZBdKKy4jEOGJuIw2q9PFP8RAFTyaIhrBp9sCqW 6FNSlwn98T7XyeuCPwC+MjjXN1FsDg7lb8JhbVxo= Authentication-Results: mail-nwsmtp-smtp-corp-main-68.klg.yp-c.yandex.net; dkim=pass header.i=@yandex-team.ru Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\)) Subject: Re: Potential buffer overrun in spell.c's CheckAffix() From: Andrey Borodin In-Reply-To: <641711.1776792744@sss.pgh.pa.us> Date: Wed, 22 Apr 2026 16:57:26 +0500 Cc: PostgreSQL mailing lists Content-Transfer-Encoding: quoted-printable Message-Id: References: <641711.1776792744@sss.pgh.pa.us> To: Tom Lane X-Mailer: Apple Mail (2.3864.500.181) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 21 Apr 2026, at 22:32, Tom Lane wrote: >=20 > if (Affix->type =3D=3D FF_SUFFIX) > { > + /* protect against buffer overrun */ > + if (len < Affix->replen || len >=3D 2 * MAXNORMLEN || > + len - Affix->replen + findlen >=3D 2 * MAXNORMLEN) > + return NULL; > + > strcpy(newword, word); > strcpy(newword + len - Affix->replen, Affix->find); > if (baselen) /* store length of non-changed part of word */ > @@ -2112,11 +2139,16 @@ CheckAffix(const char *word, size_t len, AFFIX = *Affix, int flagflags, char *neww > } > else > { > + /* protect against buffer overrun */ > + if (len < Affix->replen || > + findlen + len - Affix->replen >=3D 2 * MAXNORMLEN) > + return NULL; Is there a reason for an asymmetric check "len >=3D 2 * MAXNORMLEN = ||=E2=80=9D? Both cases seem symmetrical and we could move it out of =E2=80=9Cif". > On 22 Apr 2026, at 03:35, Tom Lane wrote: >=20 > I chose to do this by silently truncating the input before it can > overrun the buffer, using logic comparable to the existing logic in > get_nextfield(). Certainly there's at least as good an argument for > raising an error, but for now let's follow the existing precedent. Is there a reason not to emit WARNING? The data is obviously = suspicious=E2=80=A6 Perhaps, there=E2=80=99s a reason, so maybe just document it then. Both patches look good to me, AFAICT. Best regards, Andrey Borodin.=