From dc6c85ff4d1bb97cd06b11bb19b7b69cf7952f02 Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Mon, 11 May 2026 21:18:06 +0300
Subject: [PATCH] Use palloc_array() in a few more places to avoid overflow

These could overflow on 32-bit systems.

Backpatch-through: 14
Security: CVE-2026-6473
---
 contrib/hstore_plperl/hstore_plperl.c     | 2 +-
 contrib/hstore_plpython/hstore_plpython.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/contrib/hstore_plperl/hstore_plperl.c b/contrib/hstore_plperl/hstore_plperl.c
index 417b721cff9..f4c742edfa9 100644
--- a/contrib/hstore_plperl/hstore_plperl.c
+++ b/contrib/hstore_plperl/hstore_plperl.c
@@ -121,7 +121,7 @@ plperl_to_hstore(PG_FUNCTION_ARGS)
 
 	pcount = hv_iterinit(hv);
 
-	pairs = palloc(pcount * sizeof(Pairs));
+	pairs = palloc_array(Pairs, pcount);
 
 	i = 0;
 	while ((he = hv_iternext(hv)))
diff --git a/contrib/hstore_plpython/hstore_plpython.c b/contrib/hstore_plpython/hstore_plpython.c
index 4b3ef025f2e..de89511994c 100644
--- a/contrib/hstore_plpython/hstore_plpython.c
+++ b/contrib/hstore_plpython/hstore_plpython.c
@@ -149,7 +149,7 @@ plpython_to_hstore(PG_FUNCTION_ARGS)
 		Py_ssize_t	i;
 		Pairs	   *pairs;
 
-		pairs = palloc(pcount * sizeof(*pairs));
+		pairs = palloc_array(Pairs, pcount);
 
 		for (i = 0; i < pcount; i++)
 		{