Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tieWU-000nhg-A5 for pgsql-hackers@arkaria.postgresql.org; Thu, 13 Feb 2025 19:05:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tieWR-00CkwV-Sm for pgsql-hackers@arkaria.postgresql.org; Thu, 13 Feb 2025 19:05:16 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tieWR-00CkwN-JY for pgsql-hackers@lists.postgresql.org; Thu, 13 Feb 2025 19:05:16 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tieWQ-000fRc-0P for pgsql-hackers@lists.postgresql.org; Thu, 13 Feb 2025 19:05:15 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 51DJ5Ciq3718762; Thu, 13 Feb 2025 14:05:12 -0500 From: Tom Lane To: Ranier Vilela cc: Justin Pryzby , pgsql-hackers@lists.postgresql.org Subject: Re: pg17.3 PQescapeIdentifier() ignores len In-reply-to: References: Comments: In-reply-to Ranier Vilela message dated "Thu, 13 Feb 2025 13:59:17 -0300" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3718760.1739473512.1@sss.pgh.pa.us> Date: Thu, 13 Feb 2025 14:05:12 -0500 Message-ID: <3718761.1739473512@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Ranier Vilela writes: > Interesting, Coverity has some new reports regarding PQescapeIdentifier. > CID 1591290: (#1 of 1): Out-of-bounds access (OVERRUN) > 2. alloc_strlen: Allocating insufficient memory for the terminating null of > the string. [Note: The source code implementation of the function has been > overridden by a builtin model.] That's not new, we've been seeing those for awhile. I've been ignoring them on the grounds that (a) if the code actually had such a problem, valgrind testing would have found it, and (b) the message is saying in so many words that they're ignoring our code in favor of somebody's apparently-inaccurate model of said code. regards, tom lane