Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wNWz3-000sY0-1W for pgsql-committers@arkaria.postgresql.org; Thu, 14 May 2026 14:24:17 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wNWz2-00Ck5p-1W for pgsql-committers@arkaria.postgresql.org; Thu, 14 May 2026 14:24:16 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMPbx-000mGt-0S for pgsql-committers@lists.postgresql.org; Mon, 11 May 2026 12:19:49 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wMPbq-000000002Kj-47bD for pgsql-committers@lists.postgresql.org; Mon, 11 May 2026 12:19:47 +0000 Received: from gemulon.postgresql.org ([2001:4800:3e1:1::198]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMPbl-0005al-1U for pgsql-committers@lists.postgresql.org; Mon, 11 May 2026 12:19:38 +0000 Received: from localhost ([127.0.0.1] helo=gemulon.postgresql.org) by gemulon.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wMPbk-0002Sj-25 for pgsql-committers@lists.postgresql.org; Mon, 11 May 2026 12:19:36 +0000 Content-Type: multipart/mixed; boundary="===============1031433867018668767==" MIME-Version: 1.0 From: Noah Misch To: pgsql-committers@lists.postgresql.org Subject: pgsql: Harden our regex engine against integer overflow in size calcula X-Auto-Response-Suppress: All Auto-Submitted: auto-generated Message-Id: Date: Mon, 11 May 2026 12:19:36 +0000 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --===============1031433867018668767== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 SGFyZGVuIG91ciByZWdleCBlbmdpbmUgYWdhaW5zdCBpbnRlZ2VyIG92ZXJmbG93IGluIHNpemUg Y2FsY3VsYXRpb25zLgoKVGhlIG51bWJlciBvZiBORkEgc3RhdGVzLCBudW1iZXIgb2YgTkZBIGFy Y3MsIGFuZCBudW1iZXIgb2YgY29sb3JzCmFyZSBhbGwgYm91bmRlZCB0byByZWFzb25hYmx5IHNt YWxsIHZhbHVlcy4gIEhvd2V2ZXIsIHRoZXJlIGFyZQpwbGFjZXMgd2hlcmUgd2UgdHJ5IHRvIGFs bG9jYXRlIGFycmF5cyBzaXplZCBieSBwcm9kdWN0cyBvZiB0aG9zZQpxdWFudGl0aWVzLCBhbmQg dGhvc2UgY2FsY3VsYXRpb25zIGNvdWxkIG92ZXJmbG93LCBlbmFibGluZwpidWZmZXItb3ZlcnJ1 biBhdHRhY2tzLiAgSW4gcHJhY3RpY2UgdGhlcmUncyBubyBwcm9ibGVtIG9uIDY0LWJpdAptYWNo aW5lcywgYnV0IHRoZXJlIGFyZSBzb21lIGxpdmUgc2NlbmFyaW9zIG9uIDMyLWJpdCBtYWNoaW5l cy4KCkEgcmVsYXRlZCBwcm9ibGVtIGlzIHRoYXQgY2l0ZXJkaXNzZWN0KCkgYW5kIGNyZXZpdGVy ZGlzc2VjdCgpCmFsbG9jYXRlIGFycmF5cyBiYXNlZCBvbiB0aGUgbGVuZ3RoIG9mIHRoZSBpbnB1 dCBzdHJpbmcsIHdoaWNoCnBvdGVudGlhbGx5IGNvdWxkIG92ZXJmbG93LgoKVG8gZml4LCBpbnZl bnQgTUFMTE9DX0FSUkFZIGFuZCBSRUFMTE9DX0FSUkFZIG1hY3JvcyB0aGF0IHJlbHkgb24KcGFs bG9jX2FycmF5X2V4dGVuZGVkIGFuZCByZXBhbGxvY19hcnJheV9leHRlbmRlZCB3aXRoIHRoZSBO T19PT00Kb3B0aW9uLCBzaW1pbGFybHkgdG8gdGhlIGV4aXN0aW5nIE1BTExPQyBhbmQgUkVBTExP QyBtYWNyb3MuCihMaWtlIHRob3NlLCB0aGV5J2xsIHRocm93IGFuIGVycm9yIG5vdCByZXR1cm4g YSBOVUxMIHJlc3VsdCBmb3IKb3ZlcnNpemUgcmVxdWVzdHMuICBUaGlzIGRvZXNuJ3QgcmVhbGx5 IGZpdCBpbnRvIHRoZSByZWdleCBjb2RlJ3MKdmlldyBvZiBlcnJvciBoYW5kbGluZywgYnV0IGl0 J2xsIGRvIGZvciBub3cuICBXZSBjYW4gY29uc2lkZXIKd2hldGhlciB0byBjaGFuZ2UgdGhhdCBi ZWhhdmlvciBpbiBhIG5vbi1zZWN1cml0eSBmb2xsb3ctdXAgcGF0Y2guKQoKSSBpbnN0YWxsZWQg c2ltaWxhciBkZWZlbnNlcyBpbiB0aGUgY29sb3JtYXAgY29uc3RydWN0aW9uIGNvZGUuCkl0J3Mg bm90IGVudGlyZWx5IGNsZWFyIHdoZXRoZXIgaW50ZWdlciBvdmVyZmxvdyBpcyBwb3NzaWJsZQp0 aGVyZSwgYnV0IGFuYWx5emluZyB0aGUgYmVoYXZpb3IgaW4gZGV0YWlsIHNlZW1zIG5vdCB3b3J0 aAp0aGUgdHJvdWJsZSwgYXMgdGhlIHJpc2t5IHNwb3RzIGFyZSBub3QgaW4gaG90IGNvZGUgcGF0 aHMuCgpJIGxlZnQgYSBidW5jaCBvZiBjYWxscyBhcy1pcyBhZnRlciB2ZXJpZnlpbmcgdGhhdCB0 aGV5IGNhbid0Cm92ZXJmbG93IGdpdmVuIHJlYXNvbmFibGUgbGltaXRzIG9uIG5zdGF0ZXMgYW5k IG5hcmNzLiAgVGhvc2UKbGltaXRzIHdlcmUgZW5mb3JjZWQgYWxyZWFkeSB2aWEgUkVHX01BWF9D T01QSUxFX1NQQUNFLCBidXQKYWRkIGNvbW1lbnRhcnkgdG8gZG9jdW1lbnQgdGhlIGludGVyYWN0 aW9ucy4KCkluIHBhc3NpbmcsIGFsc28gZml4IGEgcmVsYXRlZCBlZGdlIGNhc2UsIHdoaWNoIGlz IHRoYXQgdGhlCnNwZWNpYWwgY29sb3IgbnVtYmVycyB1c2VkIGluIExBQ09OIGNhcmNzIGNvdWxk IG92ZXJmbG93IHRoZQoiY29sb3IiIGRhdGEgdHlwZSwgaWYgbmNvbG9ycyBpcyBjbG9zZSB0byBN QVhfQ09MT1IuCgpJbiB2MTQgYW5kIHYxNSwgdGhlIHJlZ2V4IGVuZ2luZSBjYWxscyBtYWxsb2Mo KSBkaXJlY3RseSBpbnN0ZWFkCm9mIHVzaW5nIHBhbGxvYygpLCBzbyBNQUxMT0NfQVJSQVkgYW5k IFJFQUxMT0NfQVJSQVkgZG8gbGlrZXdpc2UuCgpSZXBvcnRlZC1ieTogWGludCBDb2RlCkF1dGhv cjogVG9tIExhbmUgPHRnbEBzc3MucGdoLnBhLnVzPgpSZXZpZXdlZC1ieTogTWFzYWhpa28gU2F3 YWRhIDxzYXdhZGEubXNoa0BnbWFpbC5jb20+CkJhY2twYXRjaC10aHJvdWdoOiAxNApTZWN1cml0 eTogQ1ZFLTIwMjYtNjQ3MwoKQnJhbmNoCi0tLS0tLQptYXN0ZXIKCkRldGFpbHMKLS0tLS0tLQpo dHRwczovL2dpdC5wb3N0Z3Jlc3FsLm9yZy9wZy9jb21taXRkaWZmLzBkYzFmZGM3NWViYmFkOTQx OWFjNWUzMTMwNjRiZTBmY2YwOTI1NDMKQXV0aG9yOiBUb20gTGFuZSA8dGdsQHNzcy5wZ2gucGEu dXM+CgpNb2RpZmllZCBGaWxlcwotLS0tLS0tLS0tLS0tLQpzcmMvYmFja2VuZC9yZWdleC9yZWdj X2NvbG9yLmMgfCAxNyArKysrKysrLS0tLS0tLS0tLQpzcmMvYmFja2VuZC9yZWdleC9yZWdjX2N2 ZWMuYyAgfCAgMyArKysKc3JjL2JhY2tlbmQvcmVnZXgvcmVnY19uZmEuYyAgIHwgMTAgKysrKysr KysrKwpzcmMvYmFja2VuZC9yZWdleC9yZWdjb21wLmMgICAgfCAgNSArKystLQpzcmMvYmFja2Vu ZC9yZWdleC9yZWdlX2RmYS5jICAgfCAyMyArKysrKysrKysrKysrKysrLS0tLS0tLQpzcmMvYmFj a2VuZC9yZWdleC9yZWdleGVjLmMgICAgfCAgOCArKysrKy0tLQpzcmMvaW5jbHVkZS9yZWdleC9y ZWdjdXN0b20uaCAgfCAgMiArKwpzcmMvaW5jbHVkZS9yZWdleC9yZWdndXRzLmggICAgfCAxMyAr KysrKysrKysrKysrCjggZmlsZXMgY2hhbmdlZCwgNTkgaW5zZXJ0aW9ucygrKSwgMjIgZGVsZXRp b25zKC0pCgo= --===============1031433867018668767==--