Avoid overflow in size calculations in formatting.c. A few functions in this file were incautious about multiplying a possibly large integer by a factor more than 1 and then using it as an allocation size. This is harmless on 64-bit systems where we'd compute a size exceeding MaxAllocSize and then fail, but on 32-bit systems we could overflow size_t, leading to an undersized allocation and buffer overrun. To fix, use palloc_array() or mul_size() instead of handwritten multiplication.
Reported-by: Sven Klemm <[email protected]> Reported-by: Xint Code Author: Nathan Bossart <[email protected]> Reviewed-by: Tom Lane <[email protected]> Reviewed-by: Tatsuo Ishii <[email protected]> Security: CVE-2026-6473 Backpatch-through: 14 Branch ------ REL_18_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/55328e3a98df0fb5aad17f7f9aec64954462c871 Author: Nathan Bossart <[email protected]> Modified Files -------------- src/backend/utils/adt/formatting.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
