Potential buffer overrun in spell.c's CheckAffix()
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: pgsql-bugs@lists.postgresql.org
Date: 2026-04-21T17:32:24Z
Lists: pgsql-bugs
Attachments
- v1-0001-Prevent-buffer-overrun-in-spell.c-s-CheckAffix.patch (text/x-diff) patch v1-0001
CheckAffix is used by our ispell text search dictionaries to attach a prefix or suffix to a given base word. The input word is known to be no longer than MAXNORMLEN (256), and an output buffer of size MAXNORMLEN * 2 is provided. But there's not any a-priori limit on the length of a prefix or suffix string, so in principle a buffer overflow could occur. In practice these limits seem like more than plenty for any real-world word, so I think it's sufficient to just reject the prefix or suffix if an overflow would occur, as attached. This bug was reported to pgsql-security by Xint Code as a potential security issue. However we decided it doesn't seem worth the CVE treatment, because exploiting it would require getting a malicious ispell dictionary installed in a PG server. Putting the .dict file into the installation's file tree would require superuser privileges, and so would creating a text dictionary SQL object that references it. Maybe an attacker could persuade a gullible DBA to do that, but there are plenty of other attack pathways available if you're that persuasive. Despite that, it seems worth fixing as a run-of-the-mill bug. Any objections to the attached? regards, tom lane
Commits
-
Prevent some buffer overruns in spell.c's parsing of affix files.
- ea5f0d176a9d 17.10 landed
- d7970e7e951b 19 (unreleased) landed
- 42383d32d78a 16.14 landed
- 21a24d709500 14.23 landed
- 0b196d3db713 15.18 landed
- 00c6e08195d5 18.4 landed
-
Prevent buffer overrun in spell.c's CheckAffix().
- 6cae0c2bd211 14.23 landed
- f852c9093fb0 15.18 landed
- 17f72e037f20 16.14 landed
- a5426dbf8415 17.10 landed
- c2bfeb3bbaa7 18.4 landed
- 844bb90d49f7 19 (unreleased) landed