Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vtLoW-000oUy-03 for pgsql-bugs@arkaria.postgresql.org; Fri, 20 Feb 2026 08:24:40 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vtLoV-0070hw-01 for pgsql-bugs@arkaria.postgresql.org; Fri, 20 Feb 2026 08:24:39 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vswZC-002AzW-1c for pgsql-bugs@lists.postgresql.org; Thu, 19 Feb 2026 05:27:10 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1vswZ8-000000005Kg-2InL for pgsql-bugs@lists.postgresql.org; Thu, 19 Feb 2026 05:27:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:Cc:From:To:Subject: Content-Transfer-Encoding:MIME-Version:Content-Type:Sender:Content-ID: Content-Description:In-Reply-To:References; bh=iFNXZkX5zDjccHi6OF3xjPQpeCFEX+YRaM7nDIqOIPk=; b=VUJFqayHiFzL/aQ6z8ASlihLGL R/PoIdXOhuk83ASCiWpJwMrQk8nH3KOlpeQFXwQ2EW1y0xNygje7Z7COVAiPc3r7lobwIc4ABx0BX sb1jqKpq/QRI5bQSAPME98UvV7zpmhbr4Z30y+89KV09vI6LLDoT/bDG94iJcRZmDFV0l7N8y1y7k zxkRwRaayMk58mwpHXQAo4NoA6M9CY5iSBCmHjP3RSwcDLOcHzHJztkVB4pOBUwdB5YH/5Qi+aeDh vCil+0A+Zwg6KLKTwHEfuIszXCIwnfsqlvlDdvdU7u7lck9gtwPJ/eY0+RgMOz4ENETNArl65PIV+ ctSOOH5A==; Received: from wrigleys.postgresql.org ([2a02:16a8:dc51::60]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vswZ6-000Ep3-2g for pgsql-bugs@lists.postgresql.org; Thu, 19 Feb 2026 05:27:06 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vswZ5-005q5X-1c for pgsql-bugs@lists.postgresql.org; Thu, 19 Feb 2026 05:27:03 +0000 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Subject: BUG #19413: ASAN: stack-buffer-overflow in foldcase_options() with invalid ICU language tag To: pgsql-bugs@lists.postgresql.org From: PG Bug reporting form Cc: n.kalinin@postgrespro.ru Reply-To: n.kalinin@postgrespro.ru, pgsql-bugs@lists.postgresql.org Date: Thu, 19 Feb 2026 05:26:16 +0000 Message-ID: <19413-cf98b0a31559b77b@postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk The following bug has been logged on the website: Bug reference: 19413 Logged by: Nikita Kalinin Email address: n.kalinin@postgrespro.ru PostgreSQL version: 18.2 Operating system: ubuntu 22.04 Description: =20 When building with ASAN: CPPFLAGS=3D"-O0 -ggdb3 -fno-omit-frame-pointer -fsanitize=3Daddress -fsanitize=3Dundefined -fno-sanitize-recover=3Dall -fno-sanitize=3Dnonnull-attribute -fstack-protector" LDFLAGS=3D"-fsanitize=3Daddress -fsanitize=3Dundefined" Runtime ASAN options: ASAN_OPTIONS=3Ddetect_leaks=3D0:abort_on_error=3D1:disable_coredump=3D0:str= ict_string_checks=3D1:check_initialization_order=3D1:strict_init_order=3D1:= detct_odr_violation=3D0:detect_stack_use_after_return=3D0 The following queries: CREATE COLLATION lt_insensitive (provider =3D icu, locale =3D 'enu-ks-level= 1', deterministic =3D false); CREATE COLLATION lt_insensitive (provider =3D icu, locale =3D 'en-u-ks-leve= l1', deterministic =3D false); CREATE COLLATION x (provider =3D icu, locale =3D 'en-u-ks-level1', determin= istic =3D false); CREATE COLLATION lt_insensitive (provider =3D icu, locale =3D 'en-u-ks-leve= l1', deterministic =3D false); produce this in the log: =3D=3D206378=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc4e1629c3 at pc 0x7025dbac6f8f bp 0x7ffc4e162960 sp 0x7ffc4e162108 READ of size 7 at 0x7ffc4e1629c3 thread T0 #0 0x7025dbac6f8e in strcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors= .inc:470 #1 0x5e20dd343a7b in foldcase_options /home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:1000 #2 0x5e20dd340b46 in pg_ucasemap_open /home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:523 #3 0x5e20dd3403b0 in create_pg_locale_icu /home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:385 #4 0x5e20dd337563 in create_pg_locale /home/test/test/postgres/src/backend/utils/adt/pg_locale.c:1065 #5 0x5e20dd338ecd in pg_newlocale_from_collation /home/test/test/postgres/src/backend/utils/adt/pg_locale.c:1233 #6 0x5e20dbc3f66b in DefineCollation /home/test/test/postgres/src/backend/commands/collationcmds.c:387 #7 0x5e20dce94634 in ProcessUtilitySlow /home/test/test/postgres/src/backend/tcop/utility.c:1441 #8 0x5e20dce90e19 in standard_ProcessUtility /home/test/test/postgres/src/backend/tcop/utility.c:1068 #9 0x5e20dce8e5f8 in ProcessUtility /home/test/test/postgres/src/backend/tcop/utility.c:525 #10 0x5e20dce8997b in PortalRunUtility /home/test/test/postgres/src/backend/tcop/pquery.c:1148 #11 0x5e20dce8a6cb in PortalRunMulti /home/test/test/postgres/src/backend/tcop/pquery.c:1306 #12 0x5e20dce87477 in PortalRun /home/test/test/postgres/src/backend/tcop/pquery.c:783 #13 0x5e20dce70014 in exec_simple_query /home/test/test/postgres/src/backend/tcop/postgres.c:1277 #14 0x5e20dce7f5b2 in PostgresMain /home/test/test/postgres/src/backend/tcop/postgres.c:4809 #15 0x5e20dce60a21 in BackendMain /home/test/test/postgres/src/backend/tcop/backend_startup.c:124 #16 0x5e20dc9daeb3 in postmaster_child_launch /home/test/test/postgres/src/backend/postmaster/launch_backend.c:268 #17 0x5e20dc9ec38a in BackendStartup /home/test/test/postgres/src/backend/postmaster/postmaster.c:3606 #18 0x5e20dc9e66af in ServerLoop /home/test/test/postgres/src/backend/postmaster/postmaster.c:1713 #19 0x5e20dc9e5117 in PostmasterMain /home/test/test/postgres/src/backend/postmaster/postmaster.c:1403 #20 0x5e20dc2ee164 in main /home/test/test/postgres/src/backend/main/main.c:231 #21 0x7025da62a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #22 0x7025da62a28a in __libc_start_main_impl ../csu/libc-start.c:360 #23 0x5e20db2c4cf4 in _start (/tmp/pg/bin/postgres+0x339bcf4) (BuildId: 1e8e5e00d069d99fbf1e4d1d7e56eeb0ddec1ca0) Address 0x7ffc4e1629c3 is located in stack of thread T0 at offset 51 in frame #0 0x5e20dd34394f in foldcase_options /home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:988 The issue occurs only when strict_string_checks=3D1 is enabled. If this option is removed from ASAN_OPTIONS, the problem disappears. It reproduces only on master. I was not able to reproduce it on REL_18_STABLE. Is this expected behavior, or is the real issue that strcmp receives an invalid argument =E2=80=94 lang is not a null-terminated string? Note: the web form only allowed selecting 18.2, but the issue reproduces on current git master (future 19) and not on REL_18_STABLE.