Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wNXWT-000t0V-36 for pgsql-committers@arkaria.postgresql.org; Thu, 14 May 2026 14:58:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wNX43-00D4jH-31 for pgsql-committers@arkaria.postgresql.org; Thu, 14 May 2026 14:29:27 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMPem-000mY7-0H for pgsql-committers@lists.postgresql.org; Mon, 11 May 2026 12:22:44 +0000 Received: from mahout.postgresql.org ([72.32.157.227]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wMPek-000000002T9-0BBQ for pgsql-committers@lists.postgresql.org; Mon, 11 May 2026 12:22:43 +0000 Received: from gemulon.postgresql.org ([72.32.157.198]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMPbq-0005ar-23 for pgsql-committers@lists.postgresql.org; Mon, 11 May 2026 12:19:43 +0000 Received: from localhost ([127.0.0.1] helo=gemulon.postgresql.org) by gemulon.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wMPbo-0002cf-01 for pgsql-committers@lists.postgresql.org; Mon, 11 May 2026 12:19:40 +0000 Content-Type: multipart/mixed; boundary="===============8352011571168441373==" MIME-Version: 1.0 From: Noah Misch To: pgsql-committers@lists.postgresql.org Subject: pgsql: Harden our regex engine against integer overflow in size calcula X-Auto-Response-Suppress: All Auto-Submitted: auto-generated Message-Id: Date: Mon, 11 May 2026 12:19:40 +0000 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --===============8352011571168441373== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 SGFyZGVuIG91ciByZWdleCBlbmdpbmUgYWdhaW5zdCBpbnRlZ2VyIG92ZXJmbG93IGluIHNpemUg Y2FsY3VsYXRpb25zLgoKVGhlIG51bWJlciBvZiBORkEgc3RhdGVzLCBudW1iZXIgb2YgTkZBIGFy Y3MsIGFuZCBudW1iZXIgb2YgY29sb3JzCmFyZSBhbGwgYm91bmRlZCB0byByZWFzb25hYmx5IHNt YWxsIHZhbHVlcy4gIEhvd2V2ZXIsIHRoZXJlIGFyZQpwbGFjZXMgd2hlcmUgd2UgdHJ5IHRvIGFs bG9jYXRlIGFycmF5cyBzaXplZCBieSBwcm9kdWN0cyBvZiB0aG9zZQpxdWFudGl0aWVzLCBhbmQg dGhvc2UgY2FsY3VsYXRpb25zIGNvdWxkIG92ZXJmbG93LCBlbmFibGluZwpidWZmZXItb3ZlcnJ1 biBhdHRhY2tzLiAgSW4gcHJhY3RpY2UgdGhlcmUncyBubyBwcm9ibGVtIG9uIDY0LWJpdAptYWNo aW5lcywgYnV0IHRoZXJlIGFyZSBzb21lIGxpdmUgc2NlbmFyaW9zIG9uIDMyLWJpdCBtYWNoaW5l cy4KCkEgcmVsYXRlZCBwcm9ibGVtIGlzIHRoYXQgY2l0ZXJkaXNzZWN0KCkgYW5kIGNyZXZpdGVy ZGlzc2VjdCgpCmFsbG9jYXRlIGFycmF5cyBiYXNlZCBvbiB0aGUgbGVuZ3RoIG9mIHRoZSBpbnB1 dCBzdHJpbmcsIHdoaWNoCnBvdGVudGlhbGx5IGNvdWxkIG92ZXJmbG93LgoKVG8gZml4LCBpbnZl bnQgTUFMTE9DX0FSUkFZIGFuZCBSRUFMTE9DX0FSUkFZIG1hY3JvcyB0aGF0IHJlbHkgb24KcGFs bG9jX2FycmF5X2V4dGVuZGVkIGFuZCByZXBhbGxvY19hcnJheV9leHRlbmRlZCB3aXRoIHRoZSBO T19PT00Kb3B0aW9uLCBzaW1pbGFybHkgdG8gdGhlIGV4aXN0aW5nIE1BTExPQyBhbmQgUkVBTExP QyBtYWNyb3MuCihMaWtlIHRob3NlLCB0aGV5J2xsIHRocm93IGFuIGVycm9yIG5vdCByZXR1cm4g YSBOVUxMIHJlc3VsdCBmb3IKb3ZlcnNpemUgcmVxdWVzdHMuICBUaGlzIGRvZXNuJ3QgcmVhbGx5 IGZpdCBpbnRvIHRoZSByZWdleCBjb2RlJ3MKdmlldyBvZiBlcnJvciBoYW5kbGluZywgYnV0IGl0 J2xsIGRvIGZvciBub3cuICBXZSBjYW4gY29uc2lkZXIKd2hldGhlciB0byBjaGFuZ2UgdGhhdCBi ZWhhdmlvciBpbiBhIG5vbi1zZWN1cml0eSBmb2xsb3ctdXAgcGF0Y2guKQoKSSBpbnN0YWxsZWQg c2ltaWxhciBkZWZlbnNlcyBpbiB0aGUgY29sb3JtYXAgY29uc3RydWN0aW9uIGNvZGUuCkl0J3Mg bm90IGVudGlyZWx5IGNsZWFyIHdoZXRoZXIgaW50ZWdlciBvdmVyZmxvdyBpcyBwb3NzaWJsZQp0 aGVyZSwgYnV0IGFuYWx5emluZyB0aGUgYmVoYXZpb3IgaW4gZGV0YWlsIHNlZW1zIG5vdCB3b3J0 aAp0aGUgdHJvdWJsZSwgYXMgdGhlIHJpc2t5IHNwb3RzIGFyZSBub3QgaW4gaG90IGNvZGUgcGF0 aHMuCgpJIGxlZnQgYSBidW5jaCBvZiBjYWxscyBhcy1pcyBhZnRlciB2ZXJpZnlpbmcgdGhhdCB0 aGV5IGNhbid0Cm92ZXJmbG93IGdpdmVuIHJlYXNvbmFibGUgbGltaXRzIG9uIG5zdGF0ZXMgYW5k IG5hcmNzLiAgVGhvc2UKbGltaXRzIHdlcmUgZW5mb3JjZWQgYWxyZWFkeSB2aWEgUkVHX01BWF9D T01QSUxFX1NQQUNFLCBidXQKYWRkIGNvbW1lbnRhcnkgdG8gZG9jdW1lbnQgdGhlIGludGVyYWN0 aW9ucy4KCkluIHBhc3NpbmcsIGFsc28gZml4IGEgcmVsYXRlZCBlZGdlIGNhc2UsIHdoaWNoIGlz IHRoYXQgdGhlCnNwZWNpYWwgY29sb3IgbnVtYmVycyB1c2VkIGluIExBQ09OIGNhcmNzIGNvdWxk IG92ZXJmbG93IHRoZQoiY29sb3IiIGRhdGEgdHlwZSwgaWYgbmNvbG9ycyBpcyBjbG9zZSB0byBN QVhfQ09MT1IuCgpJbiB2MTQgYW5kIHYxNSwgdGhlIHJlZ2V4IGVuZ2luZSBjYWxscyBtYWxsb2Mo KSBkaXJlY3RseSBpbnN0ZWFkCm9mIHVzaW5nIHBhbGxvYygpLCBzbyBNQUxMT0NfQVJSQVkgYW5k IFJFQUxMT0NfQVJSQVkgZG8gbGlrZXdpc2UuCgpSZXBvcnRlZC1ieTogWGludCBDb2RlCkF1dGhv cjogVG9tIExhbmUgPHRnbEBzc3MucGdoLnBhLnVzPgpSZXZpZXdlZC1ieTogTWFzYWhpa28gU2F3 YWRhIDxzYXdhZGEubXNoa0BnbWFpbC5jb20+CkJhY2twYXRjaC10aHJvdWdoOiAxNApTZWN1cml0 eTogQ1ZFLTIwMjYtNjQ3MwoKQnJhbmNoCi0tLS0tLQpSRUxfMTVfU1RBQkxFCgpEZXRhaWxzCi0t LS0tLS0KaHR0cHM6Ly9naXQucG9zdGdyZXNxbC5vcmcvcGcvY29tbWl0ZGlmZi83ZmRiMDkwN2Uw OTMxOGQ4M2U2YTBhMWY5Nzk4YjQ5MmZkM2ZmMWMxCkF1dGhvcjogVG9tIExhbmUgPHRnbEBzc3Mu cGdoLnBhLnVzPgoKTW9kaWZpZWQgRmlsZXMKLS0tLS0tLS0tLS0tLS0Kc3JjL2JhY2tlbmQvcmVn ZXgvcmVnY19jb2xvci5jIHwgMTcgKysrKysrKy0tLS0tLS0tLS0Kc3JjL2JhY2tlbmQvcmVnZXgv cmVnY19jdmVjLmMgIHwgIDMgKysrCnNyYy9iYWNrZW5kL3JlZ2V4L3JlZ2NfbmZhLmMgICB8IDEw ICsrKysrKysrKysKc3JjL2JhY2tlbmQvcmVnZXgvcmVnY29tcC5jICAgIHwgIDUgKysrLS0Kc3Jj L2JhY2tlbmQvcmVnZXgvcmVnZV9kZmEuYyAgIHwgMjMgKysrKysrKysrKysrKysrKy0tLS0tLS0K c3JjL2JhY2tlbmQvcmVnZXgvcmVnZXhlYy5jICAgIHwgIDggKysrKystLS0Kc3JjL2luY2x1ZGUv cmVnZXgvcmVnY3VzdG9tLmggIHwgMjYgKysrKysrKysrKysrKysrKysrKysrKysrKy0Kc3JjL2lu Y2x1ZGUvcmVnZXgvcmVnZ3V0cy5oICAgIHwgMTMgKysrKysrKysrKysrKwo4IGZpbGVzIGNoYW5n ZWQsIDgyIGluc2VydGlvbnMoKyksIDIzIGRlbGV0aW9ucygtKQoK --===============8352011571168441373==--