summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5ae3bf1)
raw | patch | inline | side by side (parent: 5ae3bf1)
| author | Bruce Momjian <bruce@momjian.us> | |
| Mon, 2 Feb 2015 15:00:45 +0000 (10:00 -0500) | ||
| committer | Bruce Momjian <bruce@momjian.us> | |
| Mon, 2 Feb 2015 15:00:50 +0000 (10:00 -0500) |
Previously very long localized month and weekday strings could
overflow the allocated buffers, causing a server crash.
Reported and patch reviewed by Noah Misch. Backpatch to all
supported versions.
Security: CVE-2015-0241
overflow the allocated buffers, causing a server crash.
Reported and patch reviewed by Noah Misch. Backpatch to all
supported versions.
Security: CVE-2015-0241
| src/backend/utils/adt/formatting.c | patch | blob | blame | history |
index a8b538229e59755cc4841acabd298d2b4ab1afc3..d8a9c8cc384fdd8f5895935e9efe4a944e4b3092 100644 (file)
* Maximal length of one node
* ----------
*/
-#define DCH_MAX_ITEM_SIZ 9 /* max julian day */
+#define DCH_MAX_ITEM_SIZ 12 /* max localized day name */
#define NUM_MAX_ITEM_SIZ 8 /* roman number (RN has 15 chars) */
/* ----------
* Suffixes definition for DATE-TIME TO/FROM CHAR
* ----------
*/
+#define TM_SUFFIX_LEN 2
+
static KeySuffix DCH_suff[] = {
{"FM", 2, DCH_S_FM, SUFFTYPE_PREFIX},
{"fm", 2, DCH_S_FM, SUFFTYPE_PREFIX},
- {"TM", 2, DCH_S_TM, SUFFTYPE_PREFIX},
+ {"TM", TM_SUFFIX_LEN, DCH_S_TM, SUFFTYPE_PREFIX},
{"tm", 2, DCH_S_TM, SUFFTYPE_PREFIX},
{"TH", 2, DCH_S_TH, SUFFTYPE_POSTFIX},
{"th", 2, DCH_S_th, SUFFTYPE_POSTFIX},
{NULL, 0, 0, 0}
};
+
/* ----------
* Format-pictures (KeyWord).
*
@@ -2534,7 +2537,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon)
break;
if (S_TM(n->suffix))
- strcpy(s, str_toupper_z(localized_full_months[tm->tm_mon - 1], collid));
+ {
+ char *str = str_toupper_z(localized_full_months[tm->tm_mon - 1], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
asc_toupper_z(months_full[tm->tm_mon - 1]));
@@ -2545,7 +2557,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon)
break;
if (S_TM(n->suffix))
- strcpy(s, str_initcap_z(localized_full_months[tm->tm_mon - 1], collid));
+ {
+ char *str = str_initcap_z(localized_full_months[tm->tm_mon - 1], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
months_full[tm->tm_mon - 1]);
@@ -2556,7 +2577,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon)
break;
if (S_TM(n->suffix))
- strcpy(s, str_tolower_z(localized_full_months[tm->tm_mon - 1], collid));
+ {
+ char *str = str_tolower_z(localized_full_months[tm->tm_mon - 1], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
asc_tolower_z(months_full[tm->tm_mon - 1]));
@@ -2567,7 +2597,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon)
break;
if (S_TM(n->suffix))
- strcpy(s, str_toupper_z(localized_abbrev_months[tm->tm_mon - 1], collid));
+ {
+ char *str = str_toupper_z(localized_abbrev_months[tm->tm_mon - 1], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
strcpy(s, asc_toupper_z(months[tm->tm_mon - 1]));
s += strlen(s);
@@ -2577,7 +2616,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon)
break;
if (S_TM(n->suffix))
- strcpy(s, str_initcap_z(localized_abbrev_months[tm->tm_mon - 1], collid));
+ {
+ char *str = str_initcap_z(localized_abbrev_months[tm->tm_mon - 1], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
strcpy(s, months[tm->tm_mon - 1]);
s += strlen(s);
@@ -2587,7 +2635,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon)
break;
if (S_TM(n->suffix))
- strcpy(s, str_tolower_z(localized_abbrev_months[tm->tm_mon - 1], collid));
+ {
+ char *str = str_tolower_z(localized_abbrev_months[tm->tm_mon - 1], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
strcpy(s, asc_tolower_z(months[tm->tm_mon - 1]));
s += strlen(s);
@@ -2601,7 +2658,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_DAY:
INVALID_FOR_INTERVAL;
if (S_TM(n->suffix))
- strcpy(s, str_toupper_z(localized_full_days[tm->tm_wday], collid));
+ {
+ char *str = str_toupper_z(localized_full_days[tm->tm_wday], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
asc_toupper_z(days[tm->tm_wday]));
@@ -2610,7 +2676,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_Day:
INVALID_FOR_INTERVAL;
if (S_TM(n->suffix))
- strcpy(s, str_initcap_z(localized_full_days[tm->tm_wday], collid));
+ {
+ char *str = str_initcap_z(localized_full_days[tm->tm_wday], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
days[tm->tm_wday]);
@@ -2619,7 +2694,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_day:
INVALID_FOR_INTERVAL;
if (S_TM(n->suffix))
- strcpy(s, str_tolower_z(localized_full_days[tm->tm_wday], collid));
+ {
+ char *str = str_tolower_z(localized_full_days[tm->tm_wday], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
asc_tolower_z(days[tm->tm_wday]));
@@ -2628,7 +2712,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_DY:
INVALID_FOR_INTERVAL;
if (S_TM(n->suffix))
- strcpy(s, str_toupper_z(localized_abbrev_days[tm->tm_wday], collid));
+ {
+ char *str = str_toupper_z(localized_abbrev_days[tm->tm_wday], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
strcpy(s, asc_toupper_z(days_short[tm->tm_wday]));
s += strlen(s);
@@ -2636,7 +2729,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_Dy:
INVALID_FOR_INTERVAL;
if (S_TM(n->suffix))
- strcpy(s, str_initcap_z(localized_abbrev_days[tm->tm_wday], collid));
+ {
+ char *str = str_initcap_z(localized_abbrev_days[tm->tm_wday], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
strcpy(s, days_short[tm->tm_wday]);
s += strlen(s);
@@ -2644,7 +2746,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_dy:
INVALID_FOR_INTERVAL;
if (S_TM(n->suffix))
- strcpy(s, str_tolower_z(localized_abbrev_days[tm->tm_wday], collid));
+ {
+ char *str = str_tolower_z(localized_abbrev_days[tm->tm_wday], collid);
+
+ if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+ strcpy(s, str);
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+ errmsg("localized string format value too long")));
+ }
else
strcpy(s, asc_tolower_z(days_short[tm->tm_wday]));
s += strlen(s);