public inbox for [email protected]
help / color / mirror / Atom feedFrom: Noah Misch <[email protected]>
To: [email protected]
Subject: pgsql: ltree: Fix overflows with lquery parsing
Date: Mon, 11 May 2026 12:19:37 +0000
Message-ID: <[email protected]> (raw)
ltree: Fix overflows with lquery parsing
The lquery parser in contrib/ltree/ had two overflow problems:
- A single lquery level with many OR-separated variants (e.g.,
'label1|label2|...'), could cause an overflow of totallen, this being
stored as a uint16, meaning a maximum value of UINT16_MAX or 65k. Each
variant contributes MAXALIGN(LVAR_HDRSIZE + len) bytes. With enough
long variants, the value would wraparound. This would corrupt the data
written by LQL_NEXT(), leading to a stack corruption, most likely
translating into a crash, but it would allow incorrect memory access.
- numvar, labelled as a uint16, counts the number of OR-variants in a
single level, and it is incremented without bounds checking. With more
than PG_UINT16_MAX (65k) variants in a single level, and a minimum of
131kB of input data, it would wrap to 0. When a (wildcard) '*' is
used, this would change the query results silently.
For both issues, a set of overflows checks are added to guard against
these problematic patterns.
The first issue has been reported by the three people listed below,
affecting v16 and newer versions due to b1665bf01e5f. Its coding was
still unsafe in v14 and v15. The second issue affects all the stable
branches; I have bumped into while reviewing the code of the module.
Reported-by: Vergissmeinnicht <[email protected]>
Reported-by: A1ex <[email protected]>
Reported-by: Jihe Wang <[email protected]>
Author: Michael Paquier <[email protected]>
Security: CVE-2026-6473
Backpatch-through: 14
Branch
------
REL_18_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/7f019f34140ab9b98ba1ede6cb9f4ed90296b50f
Author: Michael Paquier <[email protected]>
Modified Files
--------------
contrib/ltree/expected/ltree.out | 10 ++++++++++
contrib/ltree/ltree_io.c | 19 +++++++++++++++++--
contrib/ltree/sql/ltree.sql | 8 ++++++++
3 files changed, 35 insertions(+), 2 deletions(-)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: pgsql: ltree: Fix overflows with lquery parsing
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox