Use palloc_array() in a few more places to avoid overflow

hlinnaka · shardgupta · commit c85a6a3874e0 · 2026-06-02T21:05:21.000+05:30
These could overflow on 32-bit systems. Backpatch-through: 14 Security: CVE-2026-6473 (cherry picked from commit c9447b8bd078f40c8b4969c63bebbb2cc228582b)
diff --git a/contrib/hstore_plperl/hstore_plperl.c b/contrib/hstore_plperl/hstore_plperl.c
@@ -121,7 +121,7 @@ plperl_to_hstore(PG_FUNCTION_ARGS)
 
 	pcount = hv_iterinit(hv);
 
-	pairs = palloc(pcount * sizeof(Pairs));
+	pairs = palloc_array(Pairs, pcount);
 
 	i = 0;
 	while ((he = hv_iternext(hv)))
diff --git a/contrib/hstore_plpython/hstore_plpython.c b/contrib/hstore_plpython/hstore_plpython.c
@@ -153,7 +153,7 @@ plpython_to_hstore(PG_FUNCTION_ARGS)
 		Py_ssize_t	i;
 		Pairs	   *pairs;
 
-		pairs = palloc(pcount * sizeof(*pairs));
+		pairs = palloc_array(Pairs, pcount);
 
 		for (i = 0; i < pcount; i++)
 		{

Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ plpython_to_hstore(PG_FUNCTION_ARGS)`
`153`	`153`	`Py_ssize_t i;`
`154`	`154`	`Pairs *pairs;`
`155`	`155`
`156`		`- pairs = palloc(pcount * sizeof(*pairs));`
	`156`	`+ pairs = palloc_array(Pairs, pcount);`
`157`	`157`
`158`	`158`	`for (i = 0; i < pcount; i++)`
`159`	`159`	`{`