orbisai0security commented on PR #1744:
URL: https://github.com/apache/cloudberry/pull/1744#issuecomment-4450217790
Thanks for the detailed explanation. I agree that, given the existing sizing
rule:
norm_query_buflen = query_len + jstate->clocations_count * 10
and the invariant that each constant contributes at least one byte, while
each generated placeholder is bounded to at most 11 bytes, the original
overflow claim is not supported. I’ll withdraw the “critical security
vulnerability” framing.
The `snprintf` change is only a defensive hardening/style change, not a
demonstrated bug fix. I also see your point that this may conflict with the
upstream PostgreSQL pg_stat_statements normalisation changes, so this PR
probably is not the right vehicle.
I’m happy to close this, or retitle it as a very small defensive cleanup if
the project would still value replacing `sprintf` with bounded formatting.
Otherwise, I’ll defer to the upstream PostgreSQL normalisation work.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]