Thread
-
Re: Plug-in coverage hole for pglz_decompress()
Ayush Tiwari <ayushtiwari.slg01@gmail.com> — 2026-05-11T06:57:43Z
Hi, On Mon, 11 May 2026 at 12:06, Michael Paquier <michael@paquier.xyz> wrote: > Hi all, > (Andrew in CC, in case.) > > While doing a post-commit review of 67d318e70402, I have noticed the > following coverage hole in pglz_decompress(), where a failure of this > check is not covered, see also [1]: > if (unlikely(off == 0 || > off > (dp - (unsigned char *) dest))) > return -1; > > This can be triggered easily with the two following sequences in the > regression tests: > SELECT test_pglz_decompress('\x011001'::bytea, 1024, true); > SELECT test_pglz_decompress('\x010300'::bytea, 1024, true); > > It's unfortunately too late for this round of minor releases, but I'd > like to fix this hole once the next minor versions are tagged, down to > v14. If there are any objections or comments, feel free. Mea culpa. > > I looked at this on my current master. The patch applies cleanly and compression_pglz passes for me. The two added inputs seem to cover the intended cases: one produces an offset larger than the amount of output already written, and the other produces offset zero, so both exercise the corrupt-input guard in pglz_decompress(). Patch looks good to me. Regards, Ayush