public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Varik Matevosyan <[email protected]>
Cc: [email protected]
Subject: Re: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params
Date: Mon, 04 May 2026 09:21:00 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+bBooj48K08uKpAKyciPRdbOJ_5qCqz9nr2m2wzr8E5s102Hw@mail.gmail.com>
References: <CA+bBooj48K08uKpAKyciPRdbOJ_5qCqz9nr2m2wzr8E5s102Hw@mail.gmail.com>
Varik Matevosyan <[email protected]> writes:
> Small robustness fix for contrib/xml2/parse_params. The doubling
> of max_params relies on signed-integer overflow wrapping to a value
> that AllocSizeIsValid then rejects, which is both UB and incidental
> safety.
There are many many places in our tree that handle that the same way.
The argument that it's UB is nonsense, because AllocSizeIsValid
rejects values >= 1G, so that it will fail on the iteration before
the integer counter can overflow. (This is indeed exactly why that
limit is 1G and not 2G; see the comment for MaxAllocSize.)
I think this proposal makes parse_params less like other code,
not more so, so I don't think we need extra code here.
regards, tom lane
view thread (2+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox