Avoid overflow in size calculations in formatting.c. A few functions in this file were incautious about multiplying a possibly large integer by a factor more than 1 and then using it as an allocation size. This is harmless on 64-bit systems where we'd compute a size exceeding MaxAllocSize and then fail, but on 32-bit systems we could overflow size_t, leading to an undersized allocation and buffer overrun. To fix, use palloc_array() or mul_size() instead of handwritten multiplication.
Reported-by: Sven Klemm <[email protected]> Reported-by: Xint Code Author: Nathan Bossart <[email protected]> Reviewed-by: Tom Lane <[email protected]> Reviewed-by: Tatsuo Ishii <[email protected]> Security: CVE-2026-6473 Backpatch-through: 14 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/6a985e71e9213420b5ebd388b20b2d3180ce0468 Author: Nathan Bossart <[email protected]> Modified Files -------------- src/backend/utils/adt/formatting.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
