to_char(): prevent writing beyond the allocated buffer

Previously very long localized month and weekday strings could
overflow the allocated buffers, causing a server crash.

Reported and patch reviewed by Noah Misch.  Backpatch to all
supported versions.

Security: CVE-2015-0241

diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index e381d088cfb2d3504d509a7d412b5534fed2cea9..38663fc432bebd93810c26465b9cf6bffad7d6a5 100644 (file)
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -109,7 +109,7 @@
  * Maximal length of one node
  * ----------
  */
-#define DCH_MAX_ITEM_SIZ               9               /* max julian day               */
+#define DCH_MAX_ITEM_SIZ          12           /* max localized day name               */
 #define NUM_MAX_ITEM_SIZ               8               /* roman number (RN has 15 chars)       */
 
 /* ----------
@@ -524,10 +524,12 @@ do { \
  * Suffixes definition for DATE-TIME TO/FROM CHAR
  * ----------
  */
+#define TM_SUFFIX_LEN  2
+
 static KeySuffix DCH_suff[] = {
        {"FM", 2, DCH_S_FM, SUFFTYPE_PREFIX},
        {"fm", 2, DCH_S_FM, SUFFTYPE_PREFIX},
-       {"TM", 2, DCH_S_TM, SUFFTYPE_PREFIX},
+       {"TM", TM_SUFFIX_LEN, DCH_S_TM, SUFFTYPE_PREFIX},
        {"tm", 2, DCH_S_TM, SUFFTYPE_PREFIX},
        {"TH", 2, DCH_S_TH, SUFFTYPE_POSTFIX},
        {"th", 2, DCH_S_th, SUFFTYPE_POSTFIX},
@@ -536,6 +538,7 @@ static KeySuffix DCH_suff[] = {
        {NULL, 0, 0, 0}
 };
 
+
 /* ----------
  * Format-pictures (KeyWord).
  *
@@ -2292,10 +2295,19 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                                if (!tm->tm_mon)
                                        break;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_toupper_z(localized_full_months[tm->tm_mon - 1]));
+                               {
+                                       char *str = str_toupper_z(localized_full_months[tm->tm_mon - 1]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
-                                                       asc_toupper_z(months_full[tm->tm_mon - 1]));
+                                               asc_toupper_z(months_full[tm->tm_mon - 1]));
                                s += strlen(s);
                                break;
                        case DCH_Month:
@@ -2303,7 +2315,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                                if (!tm->tm_mon)
                                        break;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_initcap_z(localized_full_months[tm->tm_mon - 1]));
+                               {
+                                       char *str = str_initcap_z(localized_full_months[tm->tm_mon - 1]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
                                                        months_full[tm->tm_mon - 1]);
@@ -2314,7 +2335,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                                if (!tm->tm_mon)
                                        break;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_tolower_z(localized_full_months[tm->tm_mon - 1]));
+                               {
+                                       char *str = str_tolower_z(localized_full_months[tm->tm_mon - 1]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
                                                        asc_tolower_z(months_full[tm->tm_mon - 1]));
@@ -2325,7 +2355,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                                if (!tm->tm_mon)
                                        break;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_toupper_z(localized_abbrev_months[tm->tm_mon - 1]));
+                               {
+                                       char *str = str_toupper_z(localized_abbrev_months[tm->tm_mon - 1]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        strcpy(s, asc_toupper_z(months[tm->tm_mon - 1]));
                                s += strlen(s);
@@ -2335,7 +2374,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                                if (!tm->tm_mon)
                                        break;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_initcap_z(localized_abbrev_months[tm->tm_mon - 1]));
+                               {
+                                       char *str = str_initcap_z(localized_abbrev_months[tm->tm_mon - 1]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        strcpy(s, months[tm->tm_mon - 1]);
                                s += strlen(s);
@@ -2345,7 +2393,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                                if (!tm->tm_mon)
                                        break;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_tolower_z(localized_abbrev_months[tm->tm_mon - 1]));
+                               {
+                                       char *str = str_tolower_z(localized_abbrev_months[tm->tm_mon - 1]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        strcpy(s, asc_tolower_z(months[tm->tm_mon - 1]));
                                s += strlen(s);
@@ -2359,7 +2416,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                        case DCH_DAY:
                                INVALID_FOR_INTERVAL;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_toupper_z(localized_full_days[tm->tm_wday]));
+                               {
+                                       char *str = str_toupper_z(localized_full_days[tm->tm_wday]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
                                                        asc_toupper_z(days[tm->tm_wday]));
@@ -2368,7 +2434,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                        case DCH_Day:
                                INVALID_FOR_INTERVAL;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_initcap_z(localized_full_days[tm->tm_wday]));
+                               {
+                                       char *str = str_initcap_z(localized_full_days[tm->tm_wday]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
                                                        days[tm->tm_wday]);
@@ -2377,7 +2452,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                        case DCH_day:
                                INVALID_FOR_INTERVAL;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_tolower_z(localized_full_days[tm->tm_wday]));
+                               {
+                                       char *str = str_tolower_z(localized_full_days[tm->tm_wday]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -9,
                                                        asc_tolower_z(days[tm->tm_wday]));
@@ -2386,7 +2470,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                        case DCH_DY:
                                INVALID_FOR_INTERVAL;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_toupper_z(localized_abbrev_days[tm->tm_wday]));
+                               {
+                                       char *str = str_toupper_z(localized_abbrev_days[tm->tm_wday]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        strcpy(s, asc_toupper_z(days_short[tm->tm_wday]));
                                s += strlen(s);
@@ -2394,7 +2487,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                        case DCH_Dy:
                                INVALID_FOR_INTERVAL;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_initcap_z(localized_abbrev_days[tm->tm_wday]));
+                               {
+                                       char *str = str_initcap_z(localized_abbrev_days[tm->tm_wday]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        strcpy(s, days_short[tm->tm_wday]);
                                s += strlen(s);
@@ -2402,7 +2504,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out)
                        case DCH_dy:
                                INVALID_FOR_INTERVAL;
                                if (S_TM(n->suffix))
-                                       strcpy(s, str_tolower_z(localized_abbrev_days[tm->tm_wday]));
+                               {
+                                       char *str = str_tolower_z(localized_abbrev_days[tm->tm_wday]);
+
+                                       if (strlen(str) < (n->key->len + TM_SUFFIX_LEN) * DCH_MAX_ITEM_SIZ)
+                                               strcpy(s, str);
+                                       else
+                                               ereport(ERROR,
+                                                               (errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
+                                                                errmsg("localized string format value too long")));
+                               }
                                else
                                        strcpy(s, asc_tolower_z(days_short[tm->tm_wday]));
                                s += strlen(s);