Participants
Michael Paquier
Michael Paquier
Ayush Tiwari
Ayush Tiwari
Attachments
Download Latest Patchset
+22-3
Show all attachments
Thread Outline
#1Michael PaquierMichael Paquier
May 11, 06:35
#2Ayush TiwariAyush Tiwarito Michael Paquier (#1)
May 11, 06:57
#3Michael PaquierMichael Paquierto Ayush Tiwari (#2)
May 13, 06:19

Plug-in coverage hole for pglz_decompress()

Started by Michael Paquier14 days ago3 messageshackers
Jump to latest
#1Michael Paquier
Michael Paquier
michael@paquier.xyz

Hi all,
(Andrew in CC, in case.)

While doing a post-commit review of 67d318e70402, I have noticed the
following coverage hole in pglz_decompress(), where a failure of this
check is not covered, see also [1]https://coverage.postgresql.org/src/common/pg_lzcompress.c.gcov.html -- Michael:
if (unlikely(off == 0 ||
off > (dp - (unsigned char *) dest)))
return -1;

This can be triggered easily with the two following sequences in the
regression tests:
SELECT test_pglz_decompress('\x011001'::bytea, 1024, true);
SELECT test_pglz_decompress('\x010300'::bytea, 1024, true);

It's unfortunately too late for this round of minor releases, but I'd
like to fix this hole once the next minor versions are tagged, down to
v14. If there are any objections or comments, feel free. Mea culpa.

Thanks,

[1]: https://coverage.postgresql.org/src/common/pg_lzcompress.c.gcov.html -- Michael
--
Michael

Attachments:

0001-Add-more-tests-for-corrupted-data-in-pglz_decompress.patchtext/plain; charset=us-asciiDownload+22-3
#2Ayush Tiwari
Ayush Tiwari
ayushtiwari.slg01@gmail.com
In reply to: Michael Paquier (#1)
Re: Plug-in coverage hole for pglz_decompress()

Hi,

On Mon, 11 May 2026 at 12:06, Michael Paquier <michael@paquier.xyz> wrote:

Hi all,
(Andrew in CC, in case.)

While doing a post-commit review of 67d318e70402, I have noticed the
following coverage hole in pglz_decompress(), where a failure of this
check is not covered, see also [1]:
if (unlikely(off == 0 ||
off > (dp - (unsigned char *) dest)))
return -1;

This can be triggered easily with the two following sequences in the
regression tests:
SELECT test_pglz_decompress('\x011001'::bytea, 1024, true);
SELECT test_pglz_decompress('\x010300'::bytea, 1024, true);

It's unfortunately too late for this round of minor releases, but I'd
like to fix this hole once the next minor versions are tagged, down to
v14. If there are any objections or comments, feel free. Mea culpa.

I looked at this on my current master. The patch applies cleanly and
compression_pglz passes for me.

The two added inputs seem to cover the intended cases: one produces an
offset larger than the amount of output already written, and the other
produces offset zero, so both exercise the corrupt-input guard in
pglz_decompress().

Patch looks good to me.

Regards,
Ayush

#3Michael Paquier
Michael Paquier
michael@paquier.xyz
In reply to: Ayush Tiwari (#2)
Re: Plug-in coverage hole for pglz_decompress()

On Mon, May 11, 2026 at 12:27:43PM +0530, Ayush Tiwari wrote:

The two added inputs seem to cover the intended cases: one produces an
offset larger than the amount of output already written, and the other
produces offset zero, so both exercise the corrupt-input guard in
pglz_decompress().

Thanks for double-checking. Done.
--
Michael

← Back to Topics