This is an automated email from the ASF dual-hosted git repository.

tuhaihe pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudberry.git

commit d804b69fb544fe2399f08385ed7f34cfe18d6ccf
Author: Tom Lane <[email protected]>
AuthorDate: Mon May 11 05:13:50 2026 -0700

    Guard against unsafe conditions in usage of pg_strftime().
    
    Although pg_strftime() has defined error conditions, no callers bother
    to check for errors.  This is problematic because the output string is
    very likely not null-terminated if an error occurs, so that blindly
    using it is unsafe.  Rather than trusting that we can find and fix all
    the callers, let's alter the function's API spec slightly: make it
    guarantee a null-terminated result so long as maxsize > 0.
    
    Furthermore, if we do get an error, let's make that null-terminated
    result be an empty string.  We could instead truncate at the buffer
    length, but that risks producing mis-encoded output if the tz_name
    string contains multibyte characters.  It doesn't seem reasonable for
    src/timezone/ to make use of our encoding-aware truncation logic.
    Also, the only really likely source of a failure is a user-supplied
    timezone name that is intentionally trying to overrun our buffers.
    I don't feel a need to be particularly friendly about that case.
    
    Author: Tom Lane <[email protected]>
    Reviewed-by: John Naylor <[email protected]>
    Backpatch-through: 14
    Security: CVE-2026-6474
---
 src/timezone/strftime.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/timezone/strftime.c b/src/timezone/strftime.c
index 9247a34157f..3da0b4d7658 100644
--- a/src/timezone/strftime.c
+++ b/src/timezone/strftime.c
@@ -122,6 +122,13 @@ static char *_yconv(int a, int b, bool convert_top, bool 
convert_yy, char *pt, c
  * Convert timestamp t to string s, a caller-allocated buffer of size maxsize,
  * using the given format pattern.
  *
+ * Unlike standard strftime(), we guarantee to provide a null-terminated
+ * result even on failure, so long as maxsize > 0.  If we overrun the buffer,
+ * return an empty string rather than risking mis-encoded multibyte output.
+ * (Since this module only supports C locale, you might think multibyte
+ * characters are impossible --- but the time zone name printed by %Z comes
+ * from outside and could contain such.)
+ *
  * See also timestamptz_to_str.
  */
 size_t
@@ -135,11 +142,15 @@ pg_strftime(char *s, size_t maxsize, const char *format, 
const struct pg_tm *t)
        if (!p)
        {
                errno = EOVERFLOW;
+               if (maxsize > 0)
+                       *s = '\0';
                return 0;
        }
        if (p == s + maxsize)
        {
                errno = ERANGE;
+               if (maxsize > 0)
+                       *s = '\0';
                return 0;
        }
        *p = '\0';


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to