database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-18 17:41:14 +03:00
Code

to_char(): prevent writing beyond the allocated buffer

Browse Source 
Previously very long localized month and weekday strings could
overflow the allocated buffers, causing a server crash.

Reported and patch reviewed by Noah Misch.  Backpatch to all
supported versions.

Security: CVE-2015-0241
This commit is contained in:
Bruce Momjian 2015-02-02 10:00:45 -05:00
parent b8b5801478
commit fe2526990b
1 changed files with 125 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
src/backend/utils/adt/formatting.c
View File

@ -110,7 +110,7 @@
* Maximal length of one node * Maximal length of one node
* ---------- * ----------
*/ */
#define DCH_MAX_ITEM_SIZ 9 /* max julian day */ #define DCH_MAX_ITEM_SIZ 12 /* max localized day name */
#define NUM_MAX_ITEM_SIZ 8 /* roman number (RN has 15 chars) */ #define NUM_MAX_ITEM_SIZ 8 /* roman number (RN has 15 chars) */
/* ---------- /* ----------
@ -525,10 +525,12 @@ do { \
* Suffixes definition for DATE-TIME TO/FROM CHAR * Suffixes definition for DATE-TIME TO/FROM CHAR
* ---------- * ----------
*/ */
#define TM_SUFFIX_LEN 2
static KeySuffix DCH_suff[] = { static KeySuffix DCH_suff[] = {
{"FM", 2, DCH_S_FM, SUFFTYPE_PREFIX}, {"FM", 2, DCH_S_FM, SUFFTYPE_PREFIX},
{"fm", 2, DCH_S_FM, SUFFTYPE_PREFIX}, {"fm", 2, DCH_S_FM, SUFFTYPE_PREFIX},
{"TM", 2, DCH_S_TM, SUFFTYPE_PREFIX}, {"TM", TM_SUFFIX_LEN, DCH_S_TM, SUFFTYPE_PREFIX},
{"tm", 2, DCH_S_TM, SUFFTYPE_PREFIX}, {"tm", 2, DCH_S_TM, SUFFTYPE_PREFIX},
{"TH", 2, DCH_S_TH, SUFFTYPE_POSTFIX}, {"TH", 2, DCH_S_TH, SUFFTYPE_POSTFIX},
{"th", 2, DCH_S_th, SUFFTYPE_POSTFIX}, {"th", 2, DCH_S_th, SUFFTYPE_POSTFIX},
@ -537,6 +539,7 @@ static KeySuffix DCH_suff[] = {
{NULL, 0, 0, 0} {NULL, 0, 0, 0}
}; };
/* ---------- /* ----------
* Format-pictures (KeyWord). * Format-pictures (KeyWord).
* *
@ -2532,7 +2535,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon) if (!tm->tm_mon)
break; break;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_toupper_z(localized_full_months[tm->tm_mon - 1], collid)); {
char *str = str_toupper_z(localized_full_months[tm->tm_mon - 1], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9, sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
asc_toupper_z(months_full[tm->tm_mon - 1])); asc_toupper_z(months_full[tm->tm_mon - 1]));
@ -2543,7 +2555,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon) if (!tm->tm_mon)
break; break;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_initcap_z(localized_full_months[tm->tm_mon - 1], collid)); {
char *str = str_initcap_z(localized_full_months[tm->tm_mon - 1], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9, sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
months_full[tm->tm_mon - 1]); months_full[tm->tm_mon - 1]);
@ -2554,7 +2575,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon) if (!tm->tm_mon)
break; break;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_tolower_z(localized_full_months[tm->tm_mon - 1], collid)); {
char *str = str_tolower_z(localized_full_months[tm->tm_mon - 1], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9, sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
asc_tolower_z(months_full[tm->tm_mon - 1])); asc_tolower_z(months_full[tm->tm_mon - 1]));
@ -2565,7 +2595,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon) if (!tm->tm_mon)
break; break;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_toupper_z(localized_abbrev_months[tm->tm_mon - 1], collid)); {
char *str = str_toupper_z(localized_abbrev_months[tm->tm_mon - 1], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
strcpy(s, asc_toupper_z(months[tm->tm_mon - 1])); strcpy(s, asc_toupper_z(months[tm->tm_mon - 1]));
s += strlen(s); s += strlen(s);
@ -2575,7 +2614,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon) if (!tm->tm_mon)
break; break;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_initcap_z(localized_abbrev_months[tm->tm_mon - 1], collid)); {
char *str = str_initcap_z(localized_abbrev_months[tm->tm_mon - 1], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
strcpy(s, months[tm->tm_mon - 1]); strcpy(s, months[tm->tm_mon - 1]);
s += strlen(s); s += strlen(s);
@ -2585,7 +2633,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
if (!tm->tm_mon) if (!tm->tm_mon)
break; break;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_tolower_z(localized_abbrev_months[tm->tm_mon - 1], collid)); {
char *str = str_tolower_z(localized_abbrev_months[tm->tm_mon - 1], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
strcpy(s, asc_tolower_z(months[tm->tm_mon - 1])); strcpy(s, asc_tolower_z(months[tm->tm_mon - 1]));
s += strlen(s); s += strlen(s);
@ -2599,7 +2656,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_DAY: case DCH_DAY:
INVALID_FOR_INTERVAL; INVALID_FOR_INTERVAL;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_toupper_z(localized_full_days[tm->tm_wday], collid)); {
char *str = str_toupper_z(localized_full_days[tm->tm_wday], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9, sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
asc_toupper_z(days[tm->tm_wday])); asc_toupper_z(days[tm->tm_wday]));
@ -2608,7 +2674,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_Day: case DCH_Day:
INVALID_FOR_INTERVAL; INVALID_FOR_INTERVAL;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_initcap_z(localized_full_days[tm->tm_wday], collid)); {
char *str = str_initcap_z(localized_full_days[tm->tm_wday], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9, sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
days[tm->tm_wday]); days[tm->tm_wday]);
@ -2617,7 +2692,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_day: case DCH_day:
INVALID_FOR_INTERVAL; INVALID_FOR_INTERVAL;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_tolower_z(localized_full_days[tm->tm_wday], collid)); {
char *str = str_tolower_z(localized_full_days[tm->tm_wday], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9, sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
asc_tolower_z(days[tm->tm_wday])); asc_tolower_z(days[tm->tm_wday]));
@ -2626,7 +2710,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_DY: case DCH_DY:
INVALID_FOR_INTERVAL; INVALID_FOR_INTERVAL;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_toupper_z(localized_abbrev_days[tm->tm_wday], collid)); {
char *str = str_toupper_z(localized_abbrev_days[tm->tm_wday], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
strcpy(s, asc_toupper_z(days_short[tm->tm_wday])); strcpy(s, asc_toupper_z(days_short[tm->tm_wday]));
s += strlen(s); s += strlen(s);
@ -2634,7 +2727,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_Dy: case DCH_Dy:
INVALID_FOR_INTERVAL; INVALID_FOR_INTERVAL;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_initcap_z(localized_abbrev_days[tm->tm_wday], collid)); {
char *str = str_initcap_z(localized_abbrev_days[tm->tm_wday], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
strcpy(s, days_short[tm->tm_wday]); strcpy(s, days_short[tm->tm_wday]);
s += strlen(s); s += strlen(s);
@ -2642,7 +2744,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
case DCH_dy: case DCH_dy:
INVALID_FOR_INTERVAL; INVALID_FOR_INTERVAL;
if (S_TM(n->suffix)) if (S_TM(n->suffix))
strcpy(s, str_tolower_z(localized_abbrev_days[tm->tm_wday], collid)); {
char *str = str_tolower_z(localized_abbrev_days[tm->tm_wday], collid);
if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
strcpy(s, str);
else
ereport(ERROR,
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
errmsg("localized string format value too long")));
}
else else
strcpy(s, asc_tolower_z(days_short[tm->tm_wday])); strcpy(s, asc_tolower_z(days_short[tm->tm_wday]));
s += strlen(s); s += strlen(s);