Re: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Varik Matevosyan <varikmatevosyan@gmail.com>
Cc: pgsql-hackers@lists.postgresql.org
Date: 2026-05-04T13:21:00Z
Lists: pgsql-hackers
Varik Matevosyan <varikmatevosyan@gmail.com> writes: > Small robustness fix for contrib/xml2/parse_params. The doubling > of max_params relies on signed-integer overflow wrapping to a value > that AllocSizeIsValid then rejects, which is both UB and incidental > safety. There are many many places in our tree that handle that the same way. The argument that it's UB is nonsense, because AllocSizeIsValid rejects values >= 1G, so that it will fail on the iteration before the integer counter can overflow. (This is indeed exactly why that limit is 1G and not 2G; see the comment for MaxAllocSize.) I think this proposal makes parse_params less like other code, not more so, so I don't think we need extra code here. regards, tom lane