Noah Misch <noah@leadboat.com> writes:
> On Thu, Sep 01, 2022 at 03:35:52PM -0400, Tom Lane wrote:
>> I think we should reject Aleksander's patch, on the grounds that
>> it's now unnecessary --- or if you want to argue that it's still
>> necessary, then it's woefully inadequate, because there are surely
>> a bunch of other text-processing functions that will also misbehave
>> on wrongly-encoded data. But our general policy for years has been
>> that we check incoming text for encoding validity and then presume
>> that it is valid in manipulation operations.
> pg_upgrade carries forward invalid text. A presumption of encoding validity
> won't be justified any sooner than a presumption of not finding HEAP_MOVED_OFF
> flags. Hence, I think there should exist another policy that text-processing
> functions prevent severe misbehavior when processing invalid text.
> Out-of-bounds memory access qualifies as severe.
Well ... that sounds great in the abstract, but it's not clear to me
that the problem justifies either the amount of developer effort it'd
take to close all the holes, or the performance hits we'd likely take.
In any case, changing only text_substring() isn't going to move the
ball very far at all.
>> I'm leaning to the idea that we should not back-patch, because
>> this issue has been there for years with few complaints; it's
>> not clear that closing the hole is worth creating a compatibility
>> hazard in minor releases.
> I would not back-patch.
OK. Let's close out this CF item as RWF, then.
regards, tom lane