git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 11 May 2026 12:13:46 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:46 +0000 (05:13 -0700)
commit	d388e1d7f0468db8d046f9101f972d1fa988b19a
tree	8d28076ae4bc852cee19a7d16e9ea23e720d008d	tree \| snapshot
parent	2f1b16e867e78cdd899fa7df3acb5f6e616a9371	commit \| diff

Fix overflows with ts_headline()

The options "StartSel", "StopSel" and "FragmentDelimiter" given by a
caller of the SQL function ts_headline() have their lengths stored as
int16. When providing values larger than PG_INT16_MAX, it was possible
to overflow the length values stored, leading to incorrect behaviors in
generateHeadline(), in most cases translating to a crash.

Attempting to use values for these options larger than PG_INT16_MAX is
now blocked. Some test cases are added to cover our tracks.

Reported-by: Xint Code
Author: Michael Paquier <michael@paquier.xyz>
Backpatch-through: 14
Security: CVE-2026-6473

src/backend/tsearch/wparser_def.c		diff \| blob \| blame \| history
src/test/regress/expected/tsearch.out		diff \| blob \| blame \| history
src/test/regress/sql/tsearch.sql		diff \| blob \| blame \| history