Hi,
After some investigations about very corrupted toast data in one
postgres instance, I found that the pglz_decompress function (in
common/pg_lzcompress.c) does not check correctly where it copies data
from using memcpy(), which could result in segfault.
In this function, there are other checks to ensure that we do not copy
after the destination end, but not if we copy data from "before the
beginning".
Apologize, I am not a C developer and I am not used to submitting patches.
Though I have tried and attached kind of PoC with a relatively random
corrupted payload (it was beginning with those bytes in my storage for
obscure reasons).
Also attached a simple patch of what could be done just before the
memcpy calls.
Regards,
Flavien