Avoid overflow in size calculations in formatting.c.

Nathan Bossart <nathan@postgresql.org>

Commit: 137013f6084239bd824271c8c95beea496f4e2be
Author: Nathan Bossart <nathan@postgresql.org>
Committer: Noah Misch <noah@leadboat.com>
Date: 2026-05-11T12:13:50Z
Releases: 15.18
Avoid overflow in size calculations in formatting.c.

A few functions in this file were incautious about multiplying a
possibly large integer by a factor more than 1 and then using it as
an allocation size.  This is harmless on 64-bit systems where we'd
compute a size exceeding MaxAllocSize and then fail, but on 32-bit
systems we could overflow size_t, leading to an undersized
allocation and buffer overrun.  To fix, use palloc_array() or
mul_size() instead of handwritten multiplication.

Reported-by: Sven Klemm <sven@tigerdata.com>
Reported-by: Xint Code
Author: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Tatsuo Ishii <ishii@postgresql.org>
Security: CVE-2026-6473
Backpatch-through: 14

Files

PathChange+/−
src/backend/utils/adt/formatting.c modified +4 −4