Re: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Varik Matevosyan <varikmatevosyan@gmail.com>
Cc: pgsql-hackers@lists.postgresql.org
Date: 2026-05-04T13:21:00Z
Lists: pgsql-hackers
Varik Matevosyan <varikmatevosyan@gmail.com> writes:
> Small robustness fix for contrib/xml2/parse_params. The doubling
> of max_params relies on signed-integer overflow wrapping to a value
> that AllocSizeIsValid then rejects, which is both UB and incidental
> safety.

There are many many places in our tree that handle that the same way.
The argument that it's UB is nonsense, because AllocSizeIsValid
rejects values >= 1G, so that it will fail on the iteration before
the integer counter can overflow.  (This is indeed exactly why that
limit is 1G and not 2G; see the comment for MaxAllocSize.)

I think this proposal makes parse_params less like other code,
not more so, so I don't think we need extra code here.

			regards, tom lane