Thread

  1. [PATCH] contrib/xml2: guard against signed integer overflow in parse_params

    Varik Matevosyan <varikmatevosyan@gmail.com> — 2026-05-04T11:26:50Z

    Hi,
    
    Small robustness fix for contrib/xml2/parse_params. The doubling
    of max_params relies on signed-integer overflow wrapping to a value
    that AllocSizeIsValid then rejects, which is both UB and incidental
    safety.
    
    The overflow is unreachable in current builds (text input is bounded
    by MaxAllocSize, which limits nparams below the doubling threshold),
    but the fix is small and matches the explicit overflow-checking
    idiom used elsewhere in the tree.
    
    Patch attached against current master.
    
    Regards,
    Varik
    
  2. Re: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params

    Tom Lane <tgl@sss.pgh.pa.us> — 2026-05-04T13:21:00Z

    Varik Matevosyan <varikmatevosyan@gmail.com> writes:
    > Small robustness fix for contrib/xml2/parse_params. The doubling
    > of max_params relies on signed-integer overflow wrapping to a value
    > that AllocSizeIsValid then rejects, which is both UB and incidental
    > safety.
    
    There are many many places in our tree that handle that the same way.
    The argument that it's UB is nonsense, because AllocSizeIsValid
    rejects values >= 1G, so that it will fail on the iteration before
    the integer counter can overflow.  (This is indeed exactly why that
    limit is 1G and not 2G; see the comment for MaxAllocSize.)
    
    I think this proposal makes parse_params less like other code,
    not more so, so I don't think we need extra code here.
    
    			regards, tom lane