Thread
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Remove incorrect declarations in pg_wchar.h.
- 95a19fefdcbe 19 (unreleased) landed
-
Small patch to improve safety of utf8_to_unicode().
Jeff Davis <pgsql@j-davis.com> — 2025-12-12T23:24:02Z
Attached.
-
Re: Small patch to improve safety of utf8_to_unicode().
Chao Li <li.evan.chao@gmail.com> — 2025-12-13T23:22:28Z
> On Dec 13, 2025, at 07:24, Jeff Davis <pgsql@j-davis.com> wrote: > > Attached. > > > <v1-0001-Make-utf8_to_unicode-safer.patch> This patch adds a length check to utf8_to_unicode(), I think which is where “safety” comes from. Can you please add an a little bit more to the commit message instead of only saying “improve safety”. It also deleted two redundant function declarations from pg_wchar.h, which may also worth a quick note in the commit message. The code changes all look good to me. Only nitpicks are: 1 ``` diff --git a/contrib/fuzzystrmatch/daitch_mokotoff.c b/contrib/fuzzystrmatch/daitch_mokotoff.c index 07f895ae2bf..47bd2814460 100644 --- a/contrib/fuzzystrmatch/daitch_mokotoff.c +++ b/contrib/fuzzystrmatch/daitch_mokotoff.c @@ -401,7 +401,8 @@ read_char(const unsigned char *str, int *ix) /* Decode UTF-8 character to ISO 10646 code point. */ str += *ix; - c = utf8_to_unicode(str); + /* Assume byte sequence has not been broken. */ + c = utf8_to_unicode(str, MAX_MULTIBYTE_CHAR_LEN); ``` Here we need an empty line above the new comment. 2 ``` diff --git a/src/common/wchar.c b/src/common/wchar.c index a4bc29921de..c113cadf815 100644 --- a/src/common/wchar.c +++ b/src/common/wchar.c @@ -661,7 +661,8 @@ ucs_wcwidth(pg_wchar ucs) static int pg_utf_dsplen(const unsigned char *s) { - return ucs_wcwidth(utf8_to_unicode(s)); + /* trust that input is not a truncated byte sequence */ + return ucs_wcwidth(utf8_to_unicode(s, MAX_MULTIBYTE_CHAR_LEN)); } ``` For the new comment, as a code reader, I wonder why we “trust” that? To me, it more feels like because of lacking length information, we have to trust. I would like this comment to be enhanced a little bit with more information. Best regards, -- Chao Li (Evan) HighGo Software Co., Ltd. https://www.highgo.com/ -
Re: Small patch to improve safety of utf8_to_unicode().
Jeff Davis <pgsql@j-davis.com> — 2025-12-15T20:23:44Z
On Sun, 2025-12-14 at 07:22 +0800, Chao Li wrote: > This patch adds a length check to utf8_to_unicode(), I think which is > where “safety” comes from. Can you please add an a little bit more to > the commit message instead of only saying “improve safety”. Right: it does not read past pg_mblen(), nor past the supplied length. We could go further and check for valid continuation bytes, but the other routines don't do that. > It also deleted two redundant function declarations from pg_wchar.h, > which may also worth a quick note in the commit message. I committed that as an independent change and removed it from this patch. > + /* Assume byte sequence has not been broken. */ > + c = utf8_to_unicode(str, MAX_MULTIBYTE_CHAR_LEN); > ``` > > Here we need an empty line above the new comment. Done, and I expanded the comment to explain why it's safe. > pg_utf_dsplen(const unsigned char *s) > { > - return ucs_wcwidth(utf8_to_unicode(s)); > + /* trust that input is not a truncated byte sequence */ > + return ucs_wcwidth(utf8_to_unicode(s, > MAX_MULTIBYTE_CHAR_LEN)); > } > ``` > > For the new comment, as a code reader, I wonder why we “trust” that? We could use strlen(), but I was concerned that it might be used for string fragments that aren't NUL-terminated, because it's intended for a single character. A caller might reasonably assume that it wouldn't read past pg_mblen(). So I changed the comment slightly to just say that it requires the input is a valid UTF-8 sequence. Let me know if you have another suggestion. Regards, Jeff Davis -
Re: Small patch to improve safety of utf8_to_unicode().
Chao Li <li.evan.chao@gmail.com> — 2025-12-15T23:34:41Z
> On Dec 16, 2025, at 04:23, Jeff Davis <pgsql@j-davis.com> wrote: > > On Sun, 2025-12-14 at 07:22 +0800, Chao Li wrote: >> This patch adds a length check to utf8_to_unicode(), I think which is >> where “safety” comes from. Can you please add an a little bit more to >> the commit message instead of only saying “improve safety”. > > Right: it does not read past pg_mblen(), nor past the supplied length. > > We could go further and check for valid continuation bytes, but the > other routines don't do that. > >> It also deleted two redundant function declarations from pg_wchar.h, >> which may also worth a quick note in the commit message. > > I committed that as an independent change and removed it from this > patch. > >> + /* Assume byte sequence has not been broken. */ >> + c = utf8_to_unicode(str, MAX_MULTIBYTE_CHAR_LEN); >> ``` >> >> Here we need an empty line above the new comment. > > Done, and I expanded the comment to explain why it's safe. > >> pg_utf_dsplen(const unsigned char *s) >> { >> - return ucs_wcwidth(utf8_to_unicode(s)); >> + /* trust that input is not a truncated byte sequence */ >> + return ucs_wcwidth(utf8_to_unicode(s, >> MAX_MULTIBYTE_CHAR_LEN)); >> } >> ``` >> >> For the new comment, as a code reader, I wonder why we “trust” that? > > We could use strlen(), but I was concerned that it might be used for > string fragments that aren't NUL-terminated, because it's intended for > a single character. A caller might reasonably assume that it wouldn't > read past pg_mblen(). > > So I changed the comment slightly to just say that it requires the > input is a valid UTF-8 sequence. Let me know if you have another > suggestion. > > Regards, > Jeff Davis > > > <v2-0001-Make-utf8_to_unicode-safer.patch> V2 LGTM. Best regards, -- Chao Li (Evan) HighGo Software Co., Ltd. https://www.highgo.com/ -
Re: Small patch to improve safety of utf8_to_unicode().
Jeff Davis <pgsql@j-davis.com> — 2025-12-17T19:37:59Z
On Tue, 2025-12-16 at 07:34 +0800, Chao Li wrote: > > <v2-0001-Make-utf8_to_unicode-safer.patch> > > V2 LGTM. On second thought, if we're going to change something here, we should probably have a more flexible API for both utf8_to_unicode() and unicode_to_utf8(). Looking at the callers, I think we want to have signatures something like: /* returns number of bytes consumed, or -1 */ static inline ssize_t utf8_to_unicode(char32_t *cp, const unsigned char *src, size_t srclen) { ... } /* returns number of bytes written, or -1 */ static inline ssize_t unicode_to_utf8(unsigned char *dst, size_t dstsize, char32_t cp) { ... } That would make both APIs safer, and the caller wouldn't need to call unicode_utf8len() or pg_utf8_mblen() separately. We could also do more validation, but of course then the callers would need to do something if they encounter a failure. We could also try to catch NUL terminators in the middle of a sequence, which might be useful. Regards, Jeff Davis