From: Jeff Davis Date: Thu, 29 Jan 2026 18:14:55 +0000 (-0800) Subject: Fix theoretical memory leaks in pg_locale_libc.c. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09d8c351744d3fdc7e1f72ab3a3b08b25e0c36f1;p=thirdparty%2Fpostgresql.git Fix theoretical memory leaks in pg_locale_libc.c. The leaks were hard to reach in practice and the impact was low. The callers provide a buffer the same number of bytes as the source string (plus one for NUL terminator) as a starting size, and libc never increases the number of characters. But, if the byte length of one of the converted characters is larger, then it might need a larger destination buffer. Previously, in that case, the working buffers would be leaked. Even in that case, the call typically happens within a context that will soon be reset. Regardless, it's worth fixing to avoid such assumptions, and the fix is simple so it's worth backporting. Discussion: https://postgr.es/m/e2b7a0a88aaadded7e2d19f42d5ab03c9e182ad8.camel@j-davis.com Backpatch-through: 18 --- diff --git a/src/backend/utils/adt/pg_locale_libc.c b/src/backend/utils/adt/pg_locale_libc.c index 199857e22db..c68fec2e585 100644 --- a/src/backend/utils/adt/pg_locale_libc.c +++ b/src/backend/utils/adt/pg_locale_libc.c @@ -222,11 +222,11 @@ strlower_libc_mb(char *dest, size_t destsize, const char *src, ssize_t srclen, result_size = wchar2char(result, workspace, max_size + 1, locale); - if (result_size + 1 > destsize) - return result_size; - - memcpy(dest, result, result_size); - dest[result_size] = '\0'; + if (destsize >= result_size + 1) + { + memcpy(dest, result, result_size); + dest[result_size] = '\0'; + } pfree(workspace); pfree(result); @@ -323,11 +323,11 @@ strtitle_libc_mb(char *dest, size_t destsize, const char *src, ssize_t srclen, result_size = wchar2char(result, workspace, max_size + 1, locale); - if (result_size + 1 > destsize) - return result_size; - - memcpy(dest, result, result_size); - dest[result_size] = '\0'; + if (destsize >= result_size + 1) + { + memcpy(dest, result, result_size); + dest[result_size] = '\0'; + } pfree(workspace); pfree(result); @@ -405,11 +405,11 @@ strupper_libc_mb(char *dest, size_t destsize, const char *src, ssize_t srclen, result_size = wchar2char(result, workspace, max_size + 1, locale); - if (result_size + 1 > destsize) - return result_size; - - memcpy(dest, result, result_size); - dest[result_size] = '\0'; + if (destsize >= result_size + 1) + { + memcpy(dest, result, result_size); + dest[result_size] = '\0'; + } pfree(workspace); pfree(result);