[PATCH] contrib/xml2: guard against signed integer overflow in parse

public inbox for [email protected]  
help / color / mirror / Atom feed

[PATCH] contrib/xml2: guard against signed integer overflow in parse_params
2+ messages / 2 participants
[nested] [flat]

* [PATCH] contrib/xml2: guard against signed integer overflow in parse_params
@ 2026-05-04 11:26 Varik Matevosyan <[email protected]>
  2026-05-04 13:21 ` Re: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params Tom Lane <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: Varik Matevosyan @ 2026-05-04 11:26 UTC (permalink / raw)
  To: [email protected]

Hi,

Small robustness fix for contrib/xml2/parse_params. The doubling
of max_params relies on signed-integer overflow wrapping to a value
that AllocSizeIsValid then rejects, which is both UB and incidental
safety.

The overflow is unreachable in current builds (text input is bounded
by MaxAllocSize, which limits nparams below the doubling threshold),
but the fix is small and matches the explicit overflow-checking
idiom used elsewhere in the tree.

Patch attached against current master.

Regards,
Varik


Attachments:

  [application/octet-stream] 0001-contrib-xml2-guard-against-signed-integer-overflow-i.patch (1.8K, 2-0001-contrib-xml2-guard-against-signed-integer-overflow-i.patch)
  download | inline diff:
From ef1219a7e97525a42a21bc27f982fd9e2e9a2c30 Mon Sep 17 00:00:00 2001
From: Varik Matevosyan <[email protected]>
Date: Mon, 4 May 2026 10:53:05 +0000
Subject: [PATCH] contrib/xml2: guard against signed integer overflow in
 parse_params

The doubling of max_params in parse_params relies on signed integer
overflow to wrap to a negative value that AllocSizeIsValid then
rejects, producing a clean ereport. This is incidental safety:
signed overflow is undefined per the C standard, and the graceful
ERROR depends on the wrapped value falling outside MaxAllocSize
after promotion to size_t.

In current builds the overflow is unreachable, since text input is
bounded by MaxAllocSize and that limits nparams below the doubling
threshold. Guard the multiplication anyway, matching the explicit
overflow-checking idiom used elsewhere in the tree.
---
 contrib/xml2/xslt_proc.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
index 8ceb8c46494..39116118663 100644
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@@ -7,6 +7,7 @@
  */
 #include "postgres.h"
 
+#include "common/int.h"
 #include "fmgr.h"
 #include "utils/builtins.h"
 #include "utils/xml.h"
@@ -216,6 +217,7 @@ parse_params(text *paramstr)
 	char	   *itsep = ",";
 	const char **params;
 	int			max_params;
+	int			new_max_params;
 	int			nparams;
 
 	pstr = text_to_cstring(paramstr);
@@ -230,7 +232,12 @@ parse_params(text *paramstr)
 	{
 		if (nparams >= max_params)
 		{
-			max_params *= 2;
+			if (pg_mul_s32_overflow(max_params, 2, &new_max_params))
+				ereport(ERROR,
+						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+						 errmsg("too many XSLT parameters")));
+
+			max_params = new_max_params;
 			params = (const char **) repalloc(params,
 											  (max_params + 1) * sizeof(char *));
 		}
-- 
2.43.0



^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params
  2026-05-04 11:26 [PATCH] contrib/xml2: guard against signed integer overflow in parse_params Varik Matevosyan <[email protected]>
@ 2026-05-04 13:21 ` Tom Lane <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: Tom Lane @ 2026-05-04 13:21 UTC (permalink / raw)
  To: Varik Matevosyan <[email protected]>; +Cc: [email protected]

Varik Matevosyan <[email protected]> writes:
> Small robustness fix for contrib/xml2/parse_params. The doubling
> of max_params relies on signed-integer overflow wrapping to a value
> that AllocSizeIsValid then rejects, which is both UB and incidental
> safety.

There are many many places in our tree that handle that the same way.
The argument that it's UB is nonsense, because AllocSizeIsValid
rejects values >= 1G, so that it will fail on the iteration before
the integer counter can overflow.  (This is indeed exactly why that
limit is 1G and not 2G; see the comment for MaxAllocSize.)

I think this proposal makes parse_params less like other code,
not more so, so I don't think we need extra code here.

			regards, tom lane

^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2026-05-04 13:21 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-05-04 11:26 [PATCH] contrib/xml2: guard against signed integer overflow in parse_params Varik Matevosyan <[email protected]>
2026-05-04 13:21 ` Tom Lane <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox