Both readU16 calls in decodeUpdate slice the buffer without checking its length first (src/source/postgres/pg_output_decoder.zig:353,367): a truncated UPDATE message (e.g. U + relation_id + O and nothing else) makes data[pos .. pos + 2] go out of bounds. That's a panic in Debug/ReleaseSafe and UB in ReleaseFast (the default zig build mode; the Docker image uses ReleaseSafe).
The input comes from a trusted Postgres, so the trigger probability is near zero — filed for completeness, not urgency. Note the panic would recur on replay after restart, since the LSN is never confirmed.
Ask: add the same pos + 2 > data.len guards the other decoders already have.
Both
readU16calls indecodeUpdateslice the buffer without checking its length first (src/source/postgres/pg_output_decoder.zig:353,367): a truncated UPDATE message (e.g.U+ relation_id +Oand nothing else) makesdata[pos .. pos + 2]go out of bounds. That's a panic in Debug/ReleaseSafe and UB in ReleaseFast (the defaultzig buildmode; the Docker image uses ReleaseSafe).The input comes from a trusted Postgres, so the trigger probability is near zero — filed for completeness, not urgency. Note the panic would recur on replay after restart, since the LSN is never confirmed.
Ask: add the same
pos + 2 > data.lenguards the other decoders already have.