mirror of
https://github.com/postgres/postgres.git
synced 2026-07-12 11:05:31 -04:00
A corrupted string could cause code that iterates with pg_mblen() to overrun its buffer. Fix, by converting all callers to one of the following: 1. Callers with a null-terminated string now use pg_mblen_cstr(), which raises an "illegal byte sequence" error if it finds a terminator in the middle of the sequence. 2. Callers with a length or end pointer now use either pg_mblen_with_len() or pg_mblen_range(), for the same effect, depending on which of the two seems more convenient at each site. 3. A small number of cases pre-validate a string, and can use pg_mblen_unbounded(). The traditional pg_mblen() function and COPYCHAR macro still exist for backward compatibility, but are no longer used by core code and are hereby deprecated. The same applies to the t_isXXX() functions. Security: CVE-2026-2006 Backpatch-through: 14 Co-authored-by: Thomas Munro <thomas.munro@gmail.com> Co-authored-by: Noah Misch <noah@leadboat.com> Reviewed-by: Heikki Linnakangas <hlinnaka@iki.fi> Reported-by: Paul Gerste (as part of zeroday.cloud) Reported-by: Moritz Sanft (as part of zeroday.cloud) |
||
|---|---|---|
| .. | ||
| brin | ||
| commit_ts | ||
| delay_execution | ||
| dummy_index_am | ||
| dummy_seclabel | ||
| libpq_pipeline | ||
| plsample | ||
| snapshot_too_old | ||
| spgist_name_ops | ||
| ssl_passphrase_callback | ||
| test_bloomfilter | ||
| test_ddl_deparse | ||
| test_escape | ||
| test_extensions | ||
| test_ginpostinglist | ||
| test_integerset | ||
| test_misc | ||
| test_oat_hooks | ||
| test_parser | ||
| test_pg_dump | ||
| test_predtest | ||
| test_rbtree | ||
| test_regex | ||
| test_rls_hooks | ||
| test_shm_mq | ||
| unsafe_tests | ||
| worker_spi | ||
| Makefile | ||
| README | ||
Test extensions and libraries ============================= src/test/modules contains PostgreSQL extensions that are primarily or entirely intended for testing PostgreSQL and/or to serve as example code. The extensions here aren't intended to be installed in a production server and aren't suitable for "real work". Furthermore, while you can do "make install" and "make installcheck" in this directory or its children, it is NOT ADVISABLE to do so with a server containing valuable data. Some of these tests may have undesirable side-effects on roles or other global objects within the tested server. "make installcheck-world" at the top level does not recurse into this directory. Most extensions have their own pg_regress tests or isolationtester specs. Some are also used by tests elsewhere in the tree. If you're adding new hooks or other functionality exposed as C-level API this is where to add the tests for it.