git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 11 May 2026 12:13:48 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:48 +0000 (05:13 -0700)
commit	3ed3dbbf440a81590ade81ac6553dc7380a26561
tree	1cbb4e57142cbc8e59e7179fca8296f047414643	tree \| snapshot
parent	8c3426110934af82590eb212ad5a282a9c5f7070	commit \| diff

Fix overflows with ts_headline()

The options "StartSel", "StopSel" and "FragmentDelimiter" given by a
caller of the SQL function ts_headline() have their lengths stored as
int16. When providing values larger than PG_INT16_MAX, it was possible
to overflow the length values stored, leading to incorrect behaviors in
generateHeadline(), in most cases translating to a crash.

Attempting to use values for these options larger than PG_INT16_MAX is
now blocked. Some test cases are added to cover our tracks.

Reported-by: Xint Code
Author: Michael Paquier <michael@paquier.xyz>
Backpatch-through: 14
Security: CVE-2026-6473

src/backend/tsearch/wparser_def.c		diff \| blob \| blame \| history
src/test/regress/expected/tsearch.out		diff \| blob \| blame \| history
src/test/regress/sql/tsearch.sql		diff \| blob \| blame \| history