Re: Potential buffer overrun in spell.c's CheckAffix()

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Andrey Borodin <x4mmm@yandex-team.ru>
Cc: PostgreSQL mailing lists <pgsql-bugs@lists.postgresql.org>
Date: 2026-04-22T14:50:09Z
Lists: pgsql-bugs

Attachments

I wrote:
> I suppose we could replace the strcpy with
> 	memcpy(newword, word, len - Affix->replen);
> and then we would not need the "len >= 2 * MAXNORMLEN" test
> and both paths could share the same check.  There's something
> to be said for that, though it would be changing the logic to
> a greater extent than just "add some safety checks".

Concretely, about like this, where I also tried to make the actual
byte-copying steps a bit more uniform.

			regards, tom lane

Commits

  1. Prevent some buffer overruns in spell.c's parsing of affix files.

  2. Prevent buffer overrun in spell.c's CheckAffix().