I wrote:
> I'm surprised we've not seen reports of other problems. The lack of
> crash in 8.2 is because iwchareq went away completely, but that's
> certainly not the only place doing conversions to pg_wchar and expecting
> the result to fit in a prespecified buffer ...
Actually, it looks like all the other places that use mb2wchar allocate
a buffer with more pg_wchar's than there are bytes in the input, and so
overrun is impossible even with the breakage in pg_utf2wchar_with_len.
The only exception I see in CVS HEAD is sqlchar_to_unicode() in xml.c,
which is new code as of 8.3devel anyway. So we don't appear to have
a serious security issue as I first feared --- the worst that can
happen is a crash like this when iwchareq's return address is
overwritten with a zero, and even that is only in pre-8.2.
Nonetheless, the code is certainly giving wrong answers for 4-byte
characters. Will go fix...
regards, tom lane