Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wcbQg-003ToE-0A for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Jun 2026 04:11:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wcbQe-003dbS-32 for pgsql-hackers@arkaria.postgresql.org; Thu, 25 Jun 2026 04:11:04 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wcbQe-003dbJ-26 for pgsql-hackers@lists.postgresql.org; Thu, 25 Jun 2026 04:11:04 +0000 Received: from mail-pl1-x630.google.com ([2607:f8b0:4864:20::630]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wcbQc-000000007om-3smD for pgsql-hackers@postgresql.org; Thu, 25 Jun 2026 04:11:03 +0000 Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-2c6bdb8a8bdso9501315ad.1 for ; Wed, 24 Jun 2026 21:11:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782360662; x=1782965462; darn=postgresql.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3jJjT84GfTEEzv5xwFKkUGJ3kvO0hxYV9D+0zwzmfW0=; b=LdNSVbLZwoUFzpC6adC6w6hAsPE9earLWA1G/ZyFAYao9+VSAbSC9BvAVjiPL/Qsql TVcY0d/D1YKbyMcr0gWFT5RInZkNIU1ZEOg5OGOhyLGaFFbwwTZ7PYxIFT1L9dCGGHbb RGsB1zkQXiGNEmDIrzqoK5mlSzoY8x9MFgVV6PXqipjhdHtQsTpGqTVjwHnk0tkI/kfM Y3kHhEZWC0T9Qd7i1fBanUQCSbgPwGySU6vWBkz/Vsv/OMZ6OinFRvIc/t7Eg7eTMQVM pfGXYI7yKR+2jOKmQp4lRQtdl/E3jNObWvxT9FVwJB8A16yTaFgDo0bk54EC14EjNhjh hOTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782360662; x=1782965462; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=3jJjT84GfTEEzv5xwFKkUGJ3kvO0hxYV9D+0zwzmfW0=; b=bb/JGx3dl4EPMulcrBlYDhz/jOrsdDsK8aa4Za+GtRLlk3kT94cUJiCB2+EY91d27q xpXyjbSLbI93w8KgSW578Q/Bz+pdLnsnJNmjreU1vBqCVJ3P3Xp1PECpn1hontEwlm9p 1whc12eV9DJflMxwO+s/UCU+CRyZn+iTxwpnHtqg22SGSrtFbLsuvPXS6Rm5wA7+g+cX Hq+0EFZJhRxDEsIb1nGCrD+A2+Cb6mJ5dBEhTKPdbXoEtwFpvBVGBw4KoBGrNMVECPzP S8ncHvSvoTJ4pindOagfFftNnsfdB4GrdwO79SnEQZQasx1YwlmY3NcbFWmFmm+FfHaT fNOw== X-Gm-Message-State: AOJu0YxHcvctYZXZZiLx3OvDEflbwtNcCT0p2RU9MSI5juLi8pCGAFTh Jln1x9OFzNH/BNrX02eSltYVDabLj28qsVCc0+/6nG/T023+zz/w4CKZ X-Gm-Gg: AfdE7clFHONFFOrg6S5nWGhBTgtfUiHbwCTyC6kcA1UsBXPAijFe14hmh92PrXWmJyV zi8LVe3rLB2bjR4giBtKybHSXbWmkmtczfW4q4yzfNEVv9xoKgrogaq0jCxpNfR5IAOQi0+gt7l JWk7VibTrnNKRfmh0lJPxg/Rr0UivAvh4lzZeDX32gNLyAKfdBZO1l1+u1uD3BpfidTli2Z4RC6 DOXhZl6xTgPgqrlAq1cJTKaOs7JdM1jalG1GL/u1JJWEN+wKfodOQwPF7rQ/tfFa9wrKMPr9xTb nxQEAJ/ZYuvqOHfR5XXhxJ9XrnhBLHHY3uGDk/Z6ZCx3wPk4918couzbFmbVbErGNd3MHBJlonG uQeKiLfGeFm7CxT3Ac1B+sBcCLcNSnrTKYUDRSnqWClMk0XgDouWkJM1U/+IGakH2Onb3gZz8VX 1N1oOd2zAFc9NS2Yc1/Xxm2Q== X-Received: by 2002:a17:902:e78e:b0:2c4:608:167c with SMTP id d9443c01a7336-2c7fc663951mr10375715ad.6.1782360661787; Wed, 24 Jun 2026 21:11:01 -0700 (PDT) Received: from smtpclient.apple ([185.135.79.125]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2c7f63aecb4sm10315965ad.46.2026.06.24.21.10.59 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jun 2026 21:11:01 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.600.51.1.1\)) Subject: Re: Small patch to improve safety of utf8_to_unicode(). From: Chao Li In-Reply-To: <592441c1d871a4ed0ac1708e132f447caa35869c.camel@j-davis.com> Date: Thu, 25 Jun 2026 12:10:26 +0800 Cc: pgsql-hackers@postgresql.org Content-Transfer-Encoding: quoted-printable Message-Id: <3058CAA1-40E0-4098-893B-615F77CD35E1@gmail.com> References: <541F240E-94AD-4D65-9794-7D6C316BC3FF@gmail.com> <313BCA0E-2E74-4EB6-9AA8-10DB7F439151@gmail.com> <592441c1d871a4ed0ac1708e132f447caa35869c.camel@j-davis.com> To: Jeff Davis X-Mailer: Apple Mail (2.3864.600.51.1.1) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On Jun 25, 2026, at 05:57, Jeff Davis wrote: >=20 > On Wed, 2026-06-24 at 16:44 +0800, Chao Li wrote: >> There is a compile warning against pg_wchar.h in 0004: >=20 > Fixed. I also used a loop in utf8decode() which is slightly smaller, > which is good if we intend it to be inlined by a lot of callers. >=20 > Regards, > Jeff Davis >=20 > = I just reviewed v5-0001 and got one concern. In initcap_wbnext(), the new check only verifies that the input has = enough bytes: ``` if (wbstate->offset + ulen > wbstate->len) ``` What about an invalid continuation byte, for example "\xCE "? In this = case, pg_utf_mblen() sees \xCE, so ulen will be 2. Since there is still = one more byte, the length check won't catch the invalid continuation = byte \x20, and the code will proceed to utf8_to_unicode(). Looking at utf8_to_unicode(): ``` static inline char32_t utf8_to_unicode(const unsigned char *c) { if ((*c & 0x80) =3D=3D 0) return (char32_t) c[0]; else if ((*c & 0xe0) =3D=3D 0xc0) return (char32_t) (((c[0] & 0x1f) << 6) | (c[1] & 0x3f)); else if ((*c & 0xf0) =3D=3D 0xe0) return (char32_t) (((c[0] & 0x0f) << 12) | ((c[1] & 0x3f) << 6) = | (c[2] & 0x3f)); else if ((*c & 0xf8) =3D=3D 0xf0) return (char32_t) (((c[0] & 0x07) << 18) | ((c[1] & 0x3f) << 12) = | ((c[2] & 0x3f) << 6) = | (c[3] & 0x3f)); else return PG_INVALID_CODEPOINT; } ``` For "\xCE ", it will take this branch: ``` else if ((*c & 0xe0) =3D=3D 0xc0) return (char32_t) (((c[0] & 0x1f) << 6) | (c[1] & 0x3f)); ``` This uses the second byte, \x20, without validating. So it looks like = the patch prevents reading past the end of the string, but it may not = fully defend against invalid UTF-8 sequences. Am I missing anything? (I will continue to review 0002 tomorrow.) Best regards, -- Chao Li (Evan) HighGo Software Co., Ltd. https://www.highgo.com/