pgsql: Prevent buffer overrun in unicode_normalize().

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Noah Misch <[email protected]>
To: [email protected]
Subject: pgsql: Prevent buffer overrun in unicode_normalize().
Date: Mon, 11 May 2026 12:19:39 +0000
Message-ID: <[email protected]> (raw)

Prevent buffer overrun in unicode_normalize().

Some UTF8 characters decompose to more than a dozen codepoints.
It is possible for an input string that fits into well under
1GB to produce more than 4G decomposed codepoints, causing
unicode_normalize()'s decomp_size variable to wrap around to a
small positive value.  This results in a small output buffer
allocation and subsequent buffer overrun.

To fix, test after each addition to see if we've overrun MaxAllocSize,
and break out of the loop early if so.  In frontend code we want to
just return NULL for this failure (treating it like OOM).  In the
backend, we can rely on the following palloc() call to throw error.

I also tightened things up in the calling functions in varlena.c,
using size_t rather than int and allocating the input workspace
with palloc_array().  These changes are probably unnecessary
given the knowledge that the original input and the normalized
output_chars array must fit into 1GB, but it's a lot easier to
believe the code is safe with these changes.

Reported-by: Xint Code
Reported-by: Bruce Dang <[email protected]>
Author: Tom Lane <[email protected]>
Co-authored-by: Heikki Linnakangas <[email protected]>
Backpatch-through: 14
Security: CVE-2026-6473

Branch
------
REL_16_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/f20b840813f579062cc5de0a9a266dc8d5590fc7
Author: Tom Lane <[email protected]>

Modified Files
--------------
src/backend/utils/adt/varlena.c | 14 +++++++-------
src/common/unicode_norm.c       | 19 +++++++++++++++++++
2 files changed, 26 insertions(+), 7 deletions(-)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: pgsql: Prevent buffer overrun in unicode_normalize().
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox