In fmtIdEnc(), handle failure of enlargePQExpBuffer().

Coverity complained that we weren't doing that, and it's right.

This fix just makes fmtIdEnc() honor the general convention that OOM
causes a PQExpBuffer to become marked "broken", without any immediate
error.  In the pretty-unlikely case that we actually did hit OOM here,
the end result would be to return an empty string to the caller,
probably resulting in invalid SQL syntax in an issued command (if
nothing else went wrong, which is even more unlikely).  It's tempting
to throw an "out of memory" error if the buffer becomes broken, but
there's not a lot of point in doing that only here and not in hundreds
of other PQExpBuffer-using places in pg_dump and similar callers.
The whole issue could do with some non-time-crunched redesign, perhaps.

This is a followup to the fixes for CVE-2025-1094, and should be
included if cherry-picking those fixes.

diff --git a/src/fe_utils/string_utils.c b/src/fe_utils/string_utils.c
index bdf35db614c8fc7a30671f009e85d8c4a7d7e686..130d1020d504dffde9cff9e9da4c76f2f3b8d281 100644 (file)
--- a/src/fe_utils/string_utils.c
+++ b/src/fe_utils/string_utils.c
@@ -200,11 +200,13 @@ fmtIdEnc(const char *rawid, int encoding)
                 * easier for users to find the invalidly encoded portion of a
                 * larger string.
                 */
-               enlargePQExpBuffer(id_return, 2);
-               pg_encoding_set_invalid(encoding,
-                                       id_return->data + id_return->len);
-               id_return->len += 2;
-               id_return->data[id_return->len] = '\0';
+               if (enlargePQExpBuffer(id_return, 2))
+               {
+                   pg_encoding_set_invalid(encoding,
+                                           id_return->data + id_return->len);
+                   id_return->len += 2;
+                   id_return->data[id_return->len] = '\0';
+               }
 
                /*
                 * Handle the following bytes as if this byte didn't exist.