Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wJtEP-000OFh-2R
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 04 May 2026 13:21:05 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wJtEN-007H6n-33
	for pgsql-hackers@arkaria.postgresql.org;
	Mon, 04 May 2026 13:21:03 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1wJtEN-007H6d-25
	for pgsql-hackers@lists.postgresql.org;
	Mon, 04 May 2026 13:21:03 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1wJtEL-000000009E2-1pqh
	for pgsql-hackers@lists.postgresql.org;
	Mon, 04 May 2026 13:21:02 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.18.1/8.18.1) with ESMTP id 644DL0WH186451;
	Mon, 4 May 2026 09:21:00 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Varik Matevosyan <varikmatevosyan@gmail.com>
cc: pgsql-hackers@lists.postgresql.org
Subject: Re: [PATCH] contrib/xml2: guard against signed integer overflow in
 parse_params
In-reply-to: 
 <CA+bBooj48K08uKpAKyciPRdbOJ_5qCqz9nr2m2wzr8E5s102Hw@mail.gmail.com>
References: 
 <CA+bBooj48K08uKpAKyciPRdbOJ_5qCqz9nr2m2wzr8E5s102Hw@mail.gmail.com>
Comments: In-reply-to Varik Matevosyan <varikmatevosyan@gmail.com>
	message dated "Mon, 04 May 2026 15:26:50 +0400"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <186449.1777900860.1@sss.pgh.pa.us>
Date: Mon, 04 May 2026 09:21:00 -0400
Message-ID: <186450.1777900860@sss.pgh.pa.us>
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/186450.1777900860%40sss.pgh.pa.us>
Precedence: bulk

Varik Matevosyan <varikmatevosyan@gmail.com> writes:
> Small robustness fix for contrib/xml2/parse_params. The doubling
> of max_params relies on signed-integer overflow wrapping to a value
> that AllocSizeIsValid then rejects, which is both UB and incidental
> safety.

There are many many places in our tree that handle that the same way.
The argument that it's UB is nonsense, because AllocSizeIsValid
rejects values >= 1G, so that it will fail on the iteration before
the integer counter can overflow.  (This is indeed exactly why that
limit is 1G and not 2G; see the comment for MaxAllocSize.)

I think this proposal makes parse_params less like other code,
not more so, so I don't think we need extra code here.

			regards, tom lane