git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 11 May 2026 12:13:51 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:51 +0000 (05:13 -0700)
commit	2d267ffc449ad9e8a1fbc2e23d4b55754a5a6e02
tree	9a4e56d8a34d140cff064af0d0cbad4951f2f234	tree \| snapshot
parent	b545c3787671ccbc54e76198da57424636a34f80	commit \| diff

Fix overflows with ts_headline()

The options "StartSel", "StopSel" and "FragmentDelimiter" given by a
caller of the SQL function ts_headline() have their lengths stored as
int16. When providing values larger than PG_INT16_MAX, it was possible
to overflow the length values stored, leading to incorrect behaviors in
generateHeadline(), in most cases translating to a crash.

Attempting to use values for these options larger than PG_INT16_MAX is
now blocked. Some test cases are added to cover our tracks.

Reported-by: Xint Code
Author: Michael Paquier <michael@paquier.xyz>
Backpatch-through: 14
Security: CVE-2026-6473

src/backend/tsearch/wparser_def.c		diff \| blob \| blame \| history
src/test/regress/expected/tsearch.out		diff \| blob \| blame \| history
src/test/regress/sql/tsearch.sql		diff \| blob \| blame \| history