Thread

  1. Re: Plug-in coverage hole for pglz_decompress()

    Ayush Tiwari <ayushtiwari.slg01@gmail.com> — 2026-05-11T06:57:43Z

    Hi,
    
    On Mon, 11 May 2026 at 12:06, Michael Paquier <michael@paquier.xyz> wrote:
    
    > Hi all,
    > (Andrew in CC, in case.)
    >
    > While doing a post-commit review of 67d318e70402, I have noticed the
    > following coverage hole in pglz_decompress(), where a failure of this
    > check is not covered, see also [1]:
    >     if (unlikely(off == 0 ||
    >                  off > (dp - (unsigned char *) dest)))
    >         return -1;
    >
    > This can be triggered easily with the two following sequences in the
    > regression tests:
    > SELECT test_pglz_decompress('\x011001'::bytea, 1024, true);
    > SELECT test_pglz_decompress('\x010300'::bytea, 1024, true);
    >
    > It's unfortunately too late for this round of minor releases, but I'd
    > like to fix this hole once the next minor versions are tagged, down to
    > v14.  If there are any objections or comments, feel free.  Mea culpa.
    >
    >
    I looked at this on my current master.  The patch applies cleanly and
    compression_pglz passes for me.
    
    The two added inputs seem to cover the intended cases: one produces an
    offset larger than the amount of output already written, and the other
    produces offset zero, so both exercise the corrupt-input guard in
    pglz_decompress().
    
    Patch looks good to me.
    
    Regards,
    Ayush