git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 11 May 2026 12:13:49 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:49 +0000 (05:13 -0700)
commit	5919e0005b6f23292450a44f1db5c6b2e2bb0ddf
tree	2ad9d4c20723d28dd9aee9ae2a5f1ebafab5d519	tree \| snapshot
parent	6b6b26fdecc8a8e0b57ab9f0e8a6ad6212ccba36	commit \| diff

Fix overflows with ts_headline()

The options "StartSel", "StopSel" and "FragmentDelimiter" given by a
caller of the SQL function ts_headline() have their lengths stored as
int16. When providing values larger than PG_INT16_MAX, it was possible
to overflow the length values stored, leading to incorrect behaviors in
generateHeadline(), in most cases translating to a crash.

Attempting to use values for these options larger than PG_INT16_MAX is
now blocked. Some test cases are added to cover our tracks.

Reported-by: Xint Code
Author: Michael Paquier <michael@paquier.xyz>
Backpatch-through: 14
Security: CVE-2026-6473

src/backend/tsearch/wparser_def.c		diff \| blob \| blame \| history
src/test/regress/expected/tsearch.out		diff \| blob \| blame \| history
src/test/regress/sql/tsearch.sql		diff \| blob \| blame \| history