Avoid overflow in size calculations in formatting.c.
Nathan Bossart <nathan@postgresql.org>
Author:
Nathan Bossart <nathan@postgresql.org>
Committer:
Noah Misch <noah@leadboat.com>
Date: 2026-05-11T12:13:49Z
Releases:
17.10
Avoid overflow in size calculations in formatting.c. A few functions in this file were incautious about multiplying a possibly large integer by a factor more than 1 and then using it as an allocation size. This is harmless on 64-bit systems where we'd compute a size exceeding MaxAllocSize and then fail, but on 32-bit systems we could overflow size_t, leading to an undersized allocation and buffer overrun. To fix, use palloc_array() or mul_size() instead of handwritten multiplication. Reported-by: Sven Klemm <sven@tigerdata.com> Reported-by: Xint Code Author: Nathan Bossart <nathandbossart@gmail.com> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Tatsuo Ishii <ishii@postgresql.org> Security: CVE-2026-6473 Backpatch-through: 14
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/utils/adt/formatting.c | modified | +5 −5 |