Fix integer-overflow and alignment hazards in locale-related code. pg_locale_icu.c was full of places where a very long input string could cause integer overflow while calculating a buffer size, leading to buffer overruns.
It also was cavalier about using char-type local arrays as buffers holding arrays of UChar. The alignment of a char[] variable isn't guaranteed, so that this risked failure on alignment-picky platforms. The lack of complaints suggests that such platforms are very rare nowadays; but it's likely that we are paying a performance price on rather more platforms. Declare those arrays as UChar[] instead, keeping their physical size the same. pg_locale_libc.c's strncoll_libc_win32_utf8() also had the disease of assuming it could double or quadruple the input string length without concern for overflow. Reported-by: Xint Code Reported-by: Pavel Kohout <[email protected]> Author: Tom Lane <[email protected]> Backpatch-through: 14 Security: CVE-2026-6473 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/b2869ebc43bd0ce7c0e73a15730d77644aebaf8e Author: Tom Lane <[email protected]> Modified Files -------------- src/backend/utils/adt/pg_locale_icu.c | 77 +++++++++++++++------------------- src/backend/utils/adt/pg_locale_libc.c | 18 +++++--- 2 files changed, 45 insertions(+), 50 deletions(-)
