Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitfe25269

Browse files
committed
to_char(): prevent writing beyond the allocated buffer
Previously very long localized month and weekday strings couldoverflow the allocated buffers, causing a server crash.Reported and patch reviewed by Noah Misch. Backpatch to allsupported versions.Security:CVE-2015-0241
1 parentb8b5801 commitfe25269

File tree

1 file changed

+125
-14
lines changed

1 file changed

+125
-14
lines changed

‎src/backend/utils/adt/formatting.c‎

Lines changed: 125 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@
110110
* Maximal length of one node
111111
* ----------
112112
*/
113-
#defineDCH_MAX_ITEM_SIZ9/* maxjulian day*/
113+
#defineDCH_MAX_ITEM_SIZ 12/* maxlocalized day name*/
114114
#defineNUM_MAX_ITEM_SIZ8/* roman number (RN has 15 chars)*/
115115

116116
/* ----------
@@ -525,10 +525,12 @@ do { \
525525
* Suffixes definition for DATE-TIME TO/FROM CHAR
526526
* ----------
527527
*/
528+
#defineTM_SUFFIX_LEN2
529+
528530
staticKeySuffixDCH_suff[]= {
529531
{"FM",2,DCH_S_FM,SUFFTYPE_PREFIX},
530532
{"fm",2,DCH_S_FM,SUFFTYPE_PREFIX},
531-
{"TM",2,DCH_S_TM,SUFFTYPE_PREFIX},
533+
{"TM",TM_SUFFIX_LEN,DCH_S_TM,SUFFTYPE_PREFIX},
532534
{"tm",2,DCH_S_TM,SUFFTYPE_PREFIX},
533535
{"TH",2,DCH_S_TH,SUFFTYPE_POSTFIX},
534536
{"th",2,DCH_S_th,SUFFTYPE_POSTFIX},
@@ -537,6 +539,7 @@ static KeySuffix DCH_suff[] = {
537539
{NULL,0,0,0}
538540
};
539541

542+
540543
/* ----------
541544
* Format-pictures (KeyWord).
542545
*
@@ -2532,7 +2535,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
25322535
if (!tm->tm_mon)
25332536
break;
25342537
if (S_TM(n->suffix))
2535-
strcpy(s,str_toupper_z(localized_full_months[tm->tm_mon-1],collid));
2538+
{
2539+
char*str=str_toupper_z(localized_full_months[tm->tm_mon-1],collid);
2540+
2541+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2542+
strcpy(s,str);
2543+
else
2544+
ereport(ERROR,
2545+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2546+
errmsg("localized string format value too long")));
2547+
}
25362548
else
25372549
sprintf(s,"%*s",S_FM(n->suffix) ?0 :-9,
25382550
asc_toupper_z(months_full[tm->tm_mon-1]));
@@ -2543,7 +2555,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
25432555
if (!tm->tm_mon)
25442556
break;
25452557
if (S_TM(n->suffix))
2546-
strcpy(s,str_initcap_z(localized_full_months[tm->tm_mon-1],collid));
2558+
{
2559+
char*str=str_initcap_z(localized_full_months[tm->tm_mon-1],collid);
2560+
2561+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2562+
strcpy(s,str);
2563+
else
2564+
ereport(ERROR,
2565+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2566+
errmsg("localized string format value too long")));
2567+
}
25472568
else
25482569
sprintf(s,"%*s",S_FM(n->suffix) ?0 :-9,
25492570
months_full[tm->tm_mon-1]);
@@ -2554,7 +2575,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
25542575
if (!tm->tm_mon)
25552576
break;
25562577
if (S_TM(n->suffix))
2557-
strcpy(s,str_tolower_z(localized_full_months[tm->tm_mon-1],collid));
2578+
{
2579+
char*str=str_tolower_z(localized_full_months[tm->tm_mon-1],collid);
2580+
2581+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2582+
strcpy(s,str);
2583+
else
2584+
ereport(ERROR,
2585+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2586+
errmsg("localized string format value too long")));
2587+
}
25582588
else
25592589
sprintf(s,"%*s",S_FM(n->suffix) ?0 :-9,
25602590
asc_tolower_z(months_full[tm->tm_mon-1]));
@@ -2565,7 +2595,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
25652595
if (!tm->tm_mon)
25662596
break;
25672597
if (S_TM(n->suffix))
2568-
strcpy(s,str_toupper_z(localized_abbrev_months[tm->tm_mon-1],collid));
2598+
{
2599+
char*str=str_toupper_z(localized_abbrev_months[tm->tm_mon-1],collid);
2600+
2601+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2602+
strcpy(s,str);
2603+
else
2604+
ereport(ERROR,
2605+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2606+
errmsg("localized string format value too long")));
2607+
}
25692608
else
25702609
strcpy(s,asc_toupper_z(months[tm->tm_mon-1]));
25712610
s+=strlen(s);
@@ -2575,7 +2614,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
25752614
if (!tm->tm_mon)
25762615
break;
25772616
if (S_TM(n->suffix))
2578-
strcpy(s,str_initcap_z(localized_abbrev_months[tm->tm_mon-1],collid));
2617+
{
2618+
char*str=str_initcap_z(localized_abbrev_months[tm->tm_mon-1],collid);
2619+
2620+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2621+
strcpy(s,str);
2622+
else
2623+
ereport(ERROR,
2624+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2625+
errmsg("localized string format value too long")));
2626+
}
25792627
else
25802628
strcpy(s,months[tm->tm_mon-1]);
25812629
s+=strlen(s);
@@ -2585,7 +2633,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
25852633
if (!tm->tm_mon)
25862634
break;
25872635
if (S_TM(n->suffix))
2588-
strcpy(s,str_tolower_z(localized_abbrev_months[tm->tm_mon-1],collid));
2636+
{
2637+
char*str=str_tolower_z(localized_abbrev_months[tm->tm_mon-1],collid);
2638+
2639+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2640+
strcpy(s,str);
2641+
else
2642+
ereport(ERROR,
2643+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2644+
errmsg("localized string format value too long")));
2645+
}
25892646
else
25902647
strcpy(s,asc_tolower_z(months[tm->tm_mon-1]));
25912648
s+=strlen(s);
@@ -2599,7 +2656,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
25992656
caseDCH_DAY:
26002657
INVALID_FOR_INTERVAL;
26012658
if (S_TM(n->suffix))
2602-
strcpy(s,str_toupper_z(localized_full_days[tm->tm_wday],collid));
2659+
{
2660+
char*str=str_toupper_z(localized_full_days[tm->tm_wday],collid);
2661+
2662+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2663+
strcpy(s,str);
2664+
else
2665+
ereport(ERROR,
2666+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2667+
errmsg("localized string format value too long")));
2668+
}
26032669
else
26042670
sprintf(s,"%*s",S_FM(n->suffix) ?0 :-9,
26052671
asc_toupper_z(days[tm->tm_wday]));
@@ -2608,7 +2674,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
26082674
caseDCH_Day:
26092675
INVALID_FOR_INTERVAL;
26102676
if (S_TM(n->suffix))
2611-
strcpy(s,str_initcap_z(localized_full_days[tm->tm_wday],collid));
2677+
{
2678+
char*str=str_initcap_z(localized_full_days[tm->tm_wday],collid);
2679+
2680+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2681+
strcpy(s,str);
2682+
else
2683+
ereport(ERROR,
2684+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2685+
errmsg("localized string format value too long")));
2686+
}
26122687
else
26132688
sprintf(s,"%*s",S_FM(n->suffix) ?0 :-9,
26142689
days[tm->tm_wday]);
@@ -2617,7 +2692,16 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
26172692
caseDCH_day:
26182693
INVALID_FOR_INTERVAL;
26192694
if (S_TM(n->suffix))
2620-
strcpy(s,str_tolower_z(localized_full_days[tm->tm_wday],collid));
2695+
{
2696+
char*str=str_tolower_z(localized_full_days[tm->tm_wday],collid);
2697+
2698+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2699+
strcpy(s,str);
2700+
else
2701+
ereport(ERROR,
2702+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2703+
errmsg("localized string format value too long")));
2704+
}
26212705
else
26222706
sprintf(s,"%*s",S_FM(n->suffix) ?0 :-9,
26232707
asc_tolower_z(days[tm->tm_wday]));
@@ -2626,23 +2710,50 @@ DCH_to_char(FormatNode *node, bool is_interval, TmToChar *in, char *out, Oid col
26262710
caseDCH_DY:
26272711
INVALID_FOR_INTERVAL;
26282712
if (S_TM(n->suffix))
2629-
strcpy(s,str_toupper_z(localized_abbrev_days[tm->tm_wday],collid));
2713+
{
2714+
char*str=str_toupper_z(localized_abbrev_days[tm->tm_wday],collid);
2715+
2716+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2717+
strcpy(s,str);
2718+
else
2719+
ereport(ERROR,
2720+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2721+
errmsg("localized string format value too long")));
2722+
}
26302723
else
26312724
strcpy(s,asc_toupper_z(days_short[tm->tm_wday]));
26322725
s+=strlen(s);
26332726
break;
26342727
caseDCH_Dy:
26352728
INVALID_FOR_INTERVAL;
26362729
if (S_TM(n->suffix))
2637-
strcpy(s,str_initcap_z(localized_abbrev_days[tm->tm_wday],collid));
2730+
{
2731+
char*str=str_initcap_z(localized_abbrev_days[tm->tm_wday],collid);
2732+
2733+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2734+
strcpy(s,str);
2735+
else
2736+
ereport(ERROR,
2737+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2738+
errmsg("localized string format value too long")));
2739+
}
26382740
else
26392741
strcpy(s,days_short[tm->tm_wday]);
26402742
s+=strlen(s);
26412743
break;
26422744
caseDCH_dy:
26432745
INVALID_FOR_INTERVAL;
26442746
if (S_TM(n->suffix))
2645-
strcpy(s,str_tolower_z(localized_abbrev_days[tm->tm_wday],collid));
2747+
{
2748+
char*str=str_tolower_z(localized_abbrev_days[tm->tm_wday],collid);
2749+
2750+
if (strlen(str)< (n->key->len+TM_SUFFIX_LEN)*DCH_MAX_ITEM_SIZ)
2751+
strcpy(s,str);
2752+
else
2753+
ereport(ERROR,
2754+
(errcode(ERRCODE_DATETIME_VALUE_OUT_OF_RANGE),
2755+
errmsg("localized string format value too long")));
2756+
}
26462757
else
26472758
strcpy(s,asc_tolower_z(days_short[tm->tm_wday]));
26482759
s+=strlen(s);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp