Prevent some buffer overruns in spell.c's parsing of affix files.

Tom Lane <tgl@sss.pgh.pa.us>

Commit: 0b196d3db7138967d135b72ed9296a9ad7c06846
Author: Tom Lane <tgl@sss.pgh.pa.us>
Date: 2026-04-22T16:02:15Z
Releases: 15.18
Prevent some buffer overruns in spell.c's parsing of affix files.

parse_affentry() and addCompoundAffixFlagValue() each collect fields
from an affix file into working buffers of size BUFSIZ.  They failed
to defend against overlength fields, so that a malicious affix file
could cause a stack smash.  BUFSIZ (typically 8K) is certainly way
longer than any reasonable affix field, but let's fix this while
we're closing holes in this area.

I chose to do this by silently truncating the input before it can
overrun the buffer, using logic comparable to the existing logic in
get_nextfield().  Certainly there's at least as good an argument for
raising an error, but for now let's follow the existing precedent.

Reported-by: Igor Stepansky <igor.stepansky@orca.security>
Author: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Andrey Borodin <x4mmm@yandex-team.ru>
Discussion: https://postgr.es/m/864123.1776810909@sss.pgh.pa.us
Backpatch-through: 14

Files

PathChange+/−
src/backend/tsearch/spell.c modified +24 −10

Discussion