Fix heap-buffer-overflow in pglz_decompress() on corrupt input.

Andrew Dunstan <andrew@dunslane.net>

Commit: de32a01e7bb905b455d1a001b011433bd41dfb6a
Author: Andrew Dunstan <andrew@dunslane.net>
Date: 2026-04-10T14:22:48Z
Releases: 14.23
Fix heap-buffer-overflow in pglz_decompress() on corrupt input.

When decoding a match tag, pglz_decompress() reads 2 bytes (or 3
for extended-length matches) from the source buffer before checking
whether enough data remains.  The existing bounds check (sp > srcend)
occurs after the reads, so truncated compressed data that ends
mid-tag causes a read past the allocated buffer.

Fix by validating that sufficient source bytes are available before
reading each part of the match tag.  The post-read sp > srcend
check is no longer needed and is removed.

Found by fuzz testing with libFuzzer and AddressSanitizer.

Backpatch-through: 14

Files

PathChange+/−
src/common/pg_lzcompress.c modified +19 −8