Hi,
On Mon, 11 May 2026 at 12:06, Michael Paquier <[email protected]> wrote:
> Hi all,
> (Andrew in CC, in case.)
>
> While doing a post-commit review of 67d318e70402, I have noticed the
> following coverage hole in pglz_decompress(), where a failure of this
> check is not covered, see also [1]:
> if (unlikely(off == 0 ||
> off > (dp - (unsigned char *) dest)))
> return -1;
>
> This can be triggered easily with the two following sequences in the
> regression tests:
> SELECT test_pglz_decompress('\x011001'::bytea, 1024, true);
> SELECT test_pglz_decompress('\x010300'::bytea, 1024, true);
>
> It's unfortunately too late for this round of minor releases, but I'd
> like to fix this hole once the next minor versions are tagged, down to
> v14. If there are any objections or comments, feel free. Mea culpa.
>
>
I looked at this on my current master. The patch applies cleanly and
compression_pglz passes for me.
The two added inputs seem to cover the intended cases: one produces an
offset larger than the amount of output already written, and the other
produces offset zero, so both exercise the corrupt-input guard in
pglz_decompress().
Patch looks good to me.
Regards,
Ayush
