]> git.ipfire.org Git - thirdparty/postgresql.git/commitdiff
projects / thirdparty / postgresql.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 46b4f5c)
Avoid passing unintended format codes to snprintf().
authorTom Lane <tgl@sss.pgh.pa.us>
Mon, 11 May 2026 12:13:46 +0000 (05:13 -0700)
committerNoah Misch <noah@leadboat.com>
Mon, 11 May 2026 12:13:46 +0000 (05:13 -0700)
timeofday() assumed that the output of pg_strftime() could not contain
% signs, other than the one it explicitly asks for with %%.  However,
we don't have that guarantee with respect to the time zone name (%Z).
A crafted time zone setting could abuse the subsequent snprintf()
call, resulting in crashes or disclosure of server memory.

To fix, split the pg_strftime() call into two and then treat the
outputs as literal strings, not a snprintf format string.  The
extra pg_strftime() call doesn't really cost anything, since the
bulk of the conversion work was done by pg_localtime().

Also, adjust buffer widths so that we're not risking string truncation
during the snprintf() step, as that would create a hazard of producing
mis-encoded output.

This also fixes a latent portability issue: the format string expects
an int, but tp.tv_usec is long int on many platforms.

Reported-by: Xint Code
Author: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: John Naylor <johncnaylorls@gmail.com>
Backpatch-through: 14
Security: CVE-2026-6474

src/backend/utils/adt/timestamp.c patch | blob | blame | history

diff --git a/src/backend/utils/adt/timestamp.c b/src/backend/utils/adt/timestamp.c
index 288d696be77506f31d4120c2950510756e766ff0..88ba4e0674569f123ca54ebcbc272bba0791ceef 100644 (file)
--- a/src/backend/utils/adt/timestamp.c
+++ b/src/backend/utils/adt/timestamp.c
@@ -1685,15 +1685,19 @@ Datum
 timeofday(PG_FUNCTION_ARGS)
 {
        struct timeval tp;
-       char            templ[128];
-       char            buf[128];
        pg_time_t       tt;
+       struct pg_tm *tm;
+       char            part1[128];
+       char            part2[128];
+       char            buf[128 + 128 + 10];
 
        gettimeofday(&tp, NULL);
        tt = (pg_time_t) tp.tv_sec;
-       pg_strftime(templ, sizeof(templ), "%a %b %d %H:%M:%S.%%06d %Y %Z",
-                               pg_localtime(&tt, session_timezone));
-       snprintf(buf, sizeof(buf), templ, tp.tv_usec);
+       tm = pg_localtime(&tt, session_timezone);
+
+       pg_strftime(part1, sizeof(part1), "%a %b %d %H:%M:%S", tm);
+       pg_strftime(part2, sizeof(part2), "%Y %Z", tm);
+       snprintf(buf, sizeof(buf), "%s.%06d %s", part1, (int) tp.tv_usec, part2);
 
        PG_RETURN_TEXT_P(cstring_to_text(buf));
 }
Mirror of https://git.postgresql.org/git/postgresql.git