git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Wed, 22 Apr 2026 14:47:56 +0000 (10:47 -0400)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Wed, 22 Apr 2026 15:04:35 +0000 (11:04 -0400)
commit	c2bfeb3bbaa7b036295fa9cdbf9181dd7274e7ab
tree	1f9cd82bc393dd26a5c84417b53724c8c5911fa9	tree \| snapshot
parent	f3d03fbd5d017c8e8e42a3b3bcca696cfd94a8c3	commit \| diff

Prevent buffer overrun in spell.c's CheckAffix().

This function writes into a caller-supplied buffer of length
2 * MAXNORMLEN, which should be plenty in real-world cases.
However a malicious affix file could supply an affix long
enough to overrun that. Defend by just rejecting the match
if it would overrun the buffer. I also inserted a check of
the input word length against Affix->replen, just to be sure
we won't index off the buffer, though it would be caller error
for that not to be true.

Also make the actual copying steps a bit more readable, and remove
an unnecessary requirement for the whole input word to fit into the
output buffer (even though it always will with the current caller).

The lack of documentation in this code makes my head hurt, so
I also reverse-engineered a basic header comment for CheckAffix.

Reported-by: Xint Code
Author: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Andrey Borodin <x4mmm@yandex-team.ru>
Discussion: https://postgr.es/m/641711.1776792744@sss.pgh.pa.us
Backpatch-through: 14