From b40cdd229902b40a6f4bb09177996ce995af8525 Mon Sep 17 00:00:00 2001
From: Haibo Yan <haibo.yan@apple.com>
Date: Fri, 6 Jun 2025 12:39:13 -0700
Subject: [PATCH] Mitigate potential overflow risks from wcscpy and sprintf

The use of wcscpy and sprintf for copying user-supplied input into buffers
is inherently unsafe and can lead to buffer overflows. This commit replaces
wcscpy with wcsncpy and sprintf with snprintf to ensure proper bounds
checking and mitigate potential overflow vulnerabilities.
---
 src/backend/utils/adt/pg_locale.c |  4 ++--
 src/backend/utils/misc/guc.c      | 18 +++++++++---------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/backend/utils/adt/pg_locale.c b/src/backend/utils/adt/pg_locale.c
index f5e31c433a0..e5c64d81de3 100644
--- a/src/backend/utils/adt/pg_locale.c
+++ b/src/backend/utils/adt/pg_locale.c
@@ -929,7 +929,7 @@ search_locale_enum(LPWSTR pStr, DWORD dwFlags, LPARAM lparam)
 		{
 			if (_wcsicmp(argv[0], test_locale) == 0)
 			{
-				wcscpy(argv[1], pStr);
+				wcsncpy(argv[1], pStr, LOCALE_NAME_MAX_LENGTH - 1);
 				*argv[2] = (wchar_t) 1;
 				return FALSE;
 			}
@@ -952,7 +952,7 @@ search_locale_enum(LPWSTR pStr, DWORD dwFlags, LPARAM lparam)
 			{
 				if (_wcsicmp(argv[0], test_locale) == 0)
 				{
-					wcscpy(argv[1], pStr);
+					wcsncpy(argv[1], pStr, LOCALE_NAME_MAX_LENGTH - 1);
 					*argv[2] = (wchar_t) 1;
 					return FALSE;
 				}
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 667df448732..927c3e52ee2 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -1818,9 +1818,9 @@ SelectConfigFiles(const char *userDoption, const char *progname)
 	}
 	else if (configdir)
 	{
-		fname = guc_malloc(FATAL,
-						   strlen(configdir) + strlen(CONFIG_FILENAME) + 2);
-		sprintf(fname, "%s/%s", configdir, CONFIG_FILENAME);
+		size_t len = strlen(configdir) + strlen(CONFIG_FILENAME) + 2;
+		fname = guc_malloc(FATAL, len);
+		snprintf(fname, len, "%s/%s", configdir, CONFIG_FILENAME);
 		fname_is_malloced = false;
 	}
 	else
@@ -1921,9 +1921,9 @@ SelectConfigFiles(const char *userDoption, const char *progname)
 	}
 	else if (configdir)
 	{
-		fname = guc_malloc(FATAL,
-						   strlen(configdir) + strlen(HBA_FILENAME) + 2);
-		sprintf(fname, "%s/%s", configdir, HBA_FILENAME);
+		size_t len = strlen(configdir) + strlen(HBA_FILENAME) + 2;
+		fname = guc_malloc(FATAL, len);
+		snprintf(fname, len, "%s/%s", configdir, HBA_FILENAME);
 		fname_is_malloced = false;
 	}
 	else
@@ -1952,9 +1952,9 @@ SelectConfigFiles(const char *userDoption, const char *progname)
 	}
 	else if (configdir)
 	{
-		fname = guc_malloc(FATAL,
-						   strlen(configdir) + strlen(IDENT_FILENAME) + 2);
-		sprintf(fname, "%s/%s", configdir, IDENT_FILENAME);
+		size_t len = strlen(configdir) + strlen(IDENT_FILENAME) + 2;
+		fname = guc_malloc(FATAL, len);
+		snprintf(fname, len, "%s/%s", configdir, IDENT_FILENAME);
 		fname_is_malloced = false;
 	}
 	else
-- 
2.49.0