Commit 5785ff77288 for php.net

commit 5785ff77288ba13af68605c858cde13644c440bb
Author: David Carlier <devnexen@gmail.com>
Date:   Thu Jan 15 23:05:18 2026 +0000

    exp/pgsql: insert/update query string build possible UB fix.

    From PQescapeIdentifier() docs

    ```
    A terminating zero byte is not required, and should not be counted in
    length
    ```

diff --git a/NEWS b/NEWS
index 39f1d4e7db3..06ebe601478 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory).
     (ndossche)

+- PGSQL:
+  . Fixed INSERT/UPDATE queries building with PQescapeIdentifier() and possible
+    UB. (David Carlier)
+
 - Readline:
   . Fixed bug GH-18139 (Memory leak when overriding some settings
     via readline_info()). (ndossche)
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 1fbda456c3b..80aacd5443e 100644
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -5632,7 +5632,7 @@ PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *t
 			goto cleanup;
 		}
 		if (opt & PGSQL_DML_ESCAPE) {
-			tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld) + 1);
+			tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld));
 			if (tmp == NULL) {
 				php_error_docref(NULL, E_NOTICE, "Failed to escape field '%s'", ZSTR_VAL(fld));
 				goto cleanup;
@@ -5817,7 +5817,7 @@ static inline int build_assignment_string(PGconn *pg_link, smart_str *querystr,
 			return -1;
 		}
 		if (opt & PGSQL_DML_ESCAPE) {
-			char *tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld) + 1);
+			char *tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld));
 			if (tmp == NULL) {
 				php_error_docref(NULL, E_NOTICE, "Failed to escape field '%s'", ZSTR_VAL(fld));
 				return -1;