Fix overflows with ts_headline()
Michael Paquier <michael@paquier.xyz>
Author:
Michael Paquier <michael@paquier.xyz>
Committer:
Noah Misch <noah@leadboat.com>
Date: 2026-05-11T12:13:50Z
Releases:
15.18
Fix overflows with ts_headline() The options "StartSel", "StopSel" and "FragmentDelimiter" given by a caller of the SQL function ts_headline() have their lengths stored as int16. When providing values larger than PG_INT16_MAX, it was possible to overflow the length values stored, leading to incorrect behaviors in generateHeadline(), in most cases translating to a crash. Attempting to use values for these options larger than PG_INT16_MAX is now blocked. Some test cases are added to cover our tracks. Reported-by: Xint Code Author: Michael Paquier <michael@paquier.xyz> Backpatch-through: 14 Security: CVE-2026-6473
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/tsearch/wparser_def.c | modified | +21 −3 |
| src/test/regress/expected/tsearch.out | modified | +10 −0 |
| src/test/regress/sql/tsearch.sql | modified | +8 −0 |