Fix integer-overflow and alignment hazards in locale-related code.

pg_locale_icu.c was full of places where a very long input string could cause integer overflow while calculating a buffer size, leading to buffer overruns. It also was cavalier about using char-type local arrays as buffers holding arrays of UChar. The alignment of a char[] variable isn't guaranteed, so that this risked failure on alignment-picky platforms. The lack of complaints suggests that such platforms are very rare nowadays; but it's likely that we are paying a performance price on rather more platforms. Declare those arrays as UChar[] instead, keeping their physical size the same. pg_locale_libc.c's strncoll_libc_win32_utf8() also had the disease of assuming it could double or quadruple the input string length without concern for overflow. Reported-by: Xint Code Reported-by: Pavel Kohout <pavel.kohout@aisle.com> Author: Tom Lane <tgl@sss.pgh.pa.us> Backpatch-through: 14 Security: CVE-2026-6473
2026-05-28 04:35:45 -04:00 · 2026-05-11 05:13:51 -07:00 · 2026-05-11 05:13:51 -07:00 · bcfd848e7a
commit bcfd848e7a
parent 498829dca4
1 changed files with 1 additions and 1 deletions
--- a/src/backend/utils/adt/pg_locale.c
+++ b/src/backend/utils/adt/pg_locale.c
@ -1795,7 +1795,7 @@ icu_to_uchar(UChar **buff_uchar, const char *buff, size_t nbytes)
 		ereport(ERROR,
 				(errmsg("%s failed: %s", "ucnv_toUChars", u_errorName(status))));

-	*buff_uchar = palloc((len_uchar + 1) * sizeof(**buff_uchar));
+	*buff_uchar = palloc_array(UChar, len_uchar + 1);

 	status = U_ZERO_ERROR;
 	len_uchar = ucnv_toUChars(icu_converter, *buff_uchar, len_uchar + 1,