Guard against unsafe conditions in usage of pg_strftime(). Although pg_strftime() has defined error conditions, no callers bother to check for errors. This is problematic because the output string is very likely not null-terminated if an error occurs, so that blindly using it is unsafe. Rather than trusting that we can find and fix all the callers, let's alter the function's API spec slightly: make it guarantee a null-terminated result so long as maxsize > 0.
Furthermore, if we do get an error, let's make that null-terminated result be an empty string. We could instead truncate at the buffer length, but that risks producing mis-encoded output if the tz_name string contains multibyte characters. It doesn't seem reasonable for src/timezone/ to make use of our encoding-aware truncation logic. Also, the only really likely source of a failure is a user-supplied timezone name that is intentionally trying to overrun our buffers. I don't feel a need to be particularly friendly about that case. Author: Tom Lane <[email protected]> Reviewed-by: John Naylor <[email protected]> Backpatch-through: 14 Security: CVE-2026-6474 Branch ------ REL_15_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/c3fff3950f215732365c379bb87bc13d453eb4a5 Author: Tom Lane <[email protected]> Modified Files -------------- src/timezone/strftime.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
