Fix integer-overflow and alignment hazards in locale-related code.

pg_locale_icu.c was full of places where a very long input string
could cause integer overflow while calculating a buffer size,
leading to buffer overruns.

It also was cavalier about using char-type local arrays as buffers
holding arrays of UChar.  The alignment of a char[] variable isn't
guaranteed, so that this risked failure on alignment-picky platforms.
The lack of complaints suggests that such platforms are very rare
nowadays; but it's likely that we are paying a performance price on
rather more platforms.  Declare those arrays as UChar[] instead,
keeping their physical size the same.

pg_locale_libc.c's strncoll_libc_win32_utf8() also had the
disease of assuming it could double or quadruple the input
string length without concern for overflow.

Reported-by: Xint Code
Reported-by: Pavel Kohout <pavel.kohout@aisle.com>
Author: Tom Lane <tgl@sss.pgh.pa.us>
Backpatch-through: 14
Security: CVE-2026-6473

diff --git a/src/backend/utils/adt/pg_locale.c b/src/backend/utils/adt/pg_locale.c
index 143fe9f85b40143d69b45087021def8a773fee4b..2865cbdff99f3f0523428396fd84b0b6ae429897 100644 (file)
--- a/src/backend/utils/adt/pg_locale.c
+++ b/src/backend/utils/adt/pg_locale.c
@@ -1837,7 +1837,7 @@ icu_to_uchar(UChar **buff_uchar, const char *buff, size_t nbytes)
                ereport(ERROR,
                                (errmsg("%s failed: %s", "ucnv_toUChars", u_errorName(status))));
 
-       *buff_uchar = palloc((len_uchar + 1) * sizeof(**buff_uchar));
+       *buff_uchar = palloc_array(UChar, len_uchar + 1);
 
        status = U_ZERO_ERROR;
        len_uchar = ucnv_toUChars(icu_converter, *buff_uchar, len_uchar + 1,