Fix overflows with ts_headline() The options "StartSel", "StopSel" and "FragmentDelimiter" given by a caller of the SQL function ts_headline() have their lengths stored as int16. When providing values larger than PG_INT16_MAX, it was possible to overflow the length values stored, leading to incorrect behaviors in generateHeadline(), in most cases translating to a crash.
Attempting to use values for these options larger than PG_INT16_MAX is now blocked. Some test cases are added to cover our tracks. Reported-by: Xint Code Author: Michael Paquier <[email protected]> Backpatch-through: 14 Security: CVE-2026-6473 Branch ------ REL_16_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/5919e0005b6f23292450a44f1db5c6b2e2bb0ddf Author: Michael Paquier <[email protected]> Modified Files -------------- src/backend/tsearch/wparser_def.c | 24 +++++++++++++++++++++--- src/test/regress/expected/tsearch.out | 10 ++++++++++ src/test/regress/sql/tsearch.sql | 8 ++++++++ 3 files changed, 39 insertions(+), 3 deletions(-)
