BUG #4700: SIGSEGV with incorrect input to to_char function

The following bug has been logged online:

Bug reference: 4700
Logged by: Sergey Burladyan
Email address: eshkinkot(at)gmail(dot)com
PostgreSQL version: 8.3.6
Operating system: Debian GNU/Linux 5.0 (lenny)
Description: SIGSEGV with incorrect input to to_char function
Details:

this is for debian package:

seb=> select version();
version
----------------------------------------------------------------------------
----------------
PostgreSQL 8.3.6 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real (Debian
4.3.3-3) 4.3.3

seb=> select to_char(0, 'TMMON TMMon TMmon TMMONTH TMMonth TMDAY TMDay TMday
TMDY TMDy TMdy');
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.

this is for current cvs REL8_3_STABLE
./configure --prefix=$HOME/inst/pg-dev --enable-nls='ru' --enable-debug
--enable-depend --enable-cassert --enable-thread-safety --with-pgport=5433
--with-libxml --with-libxslt

postgres=# select version();
version
----------------------------------------------------------------------------
-------
PostgreSQL 8.3.6 on i686-pc-linux-gnu, compiled by GCC gcc (Debian 4.3.3-3)
4.3.3

Program received signal SIGSEGV, Segmentation fault.
parse_format (node=<value optimized out>, str=0x9a02053 "ay TMday TMDY TMDy
TMdy", kw=0x83c7bc0, suf=0x0, index=0x83c7ec0,
ver=2, Num=0xbfe7d8a4) at formatting.c:3751
3751 *ent->str = '\0';

(gdb) bt
#0 parse_format (node=<value optimized out>, str=0x9a02053 "ay TMday TMDY
TMDy TMdy", kw=0x83c7bc0, suf=0x0,
index=0x83c7ec0, ver=2, Num=0xbfe7d8a4) at formatting.c:3751
#1 0x082c1804 in NUM_cache (len=66, Num=0xbfe7d8a4, pars_str=<value
optimized out>, shouldFree=0xbfe7d8cb "\001")
at formatting.c:3785
#2 0x082c34d0 in int4_to_char (fcinfo=0xbfe7d918) at formatting.c:4989
#3 0x0819733b in ExecMakeFunctionResult (fcache=0x99fdeb8,
econtext=0x99fde20,
isNull=0x99fe490 "\177~\177\177\177\177\177\177$\032\234\t@",
isDone=0x99fe4f0) at execQual.c:1351
#4 0x08194f75 in ExecProject (projInfo=0x99fe4a4, isDone=0xbfe7dbc8) at
execQual.c:4610
#5 0x081a8354 in ExecResult (node=0x99fdd94) at nodeResult.c:155
#6 0x0819416d in ExecProcNode (node=0x99fdd94) at execProcnode.c:319
#7 0x08191ed3 in ExecutorRun (queryDesc=0x99fd820,
direction=ForwardScanDirection, count=0) at execMain.c:1335
#8 0x082419db in PortalRunSelect (portal=0x99f4b84, forward=<value
optimized out>, count=0, dest=0x99f1d1c) at pquery.c:943
#9 0x082430fd in PortalRun (portal=0x99f4b84, count=2147483647,
isTopLevel=1 '\001', dest=0x99f1d1c, altdest=0x99f1d1c,
completionTag=0xbfe7de2a "") at pquery.c:797
#10 0x0823dabe in exec_simple_query (
query_string=0x99f0b74 "select to_char(0, 'TMMON TMMon TMmon TMMONTH
TMMonth TMDAY TMDay TMday TMDY TMDy TMdy');")
at postgres.c:1004
#11 0x0823f32c in PostgresMain (argc=4, argv=0x995cc14, username=0x995cbe4
"seb") at postgres.c:3631
#12 0x0820927f in ServerLoop () at postmaster.c:3207
#13 0x0820a203 in PostmasterMain (argc=5, argv=0x995aba0) at
postmaster.c:1029
#14 0x081b8346 in main (argc=5, argv=0x995aba0) at main.c:188

(gdb) list
3746 NUM_cache_remove(NUMCacheEntry *ent)
3747 {
3748 #ifdef DEBUG_TO_FROM_CHAR
3749 elog(DEBUG_elog_output, "REMOVING ENTRY (%s)", ent->str);
3750 #endif
3751 *ent->str = '\0';
3752 ent->age = 0;
3753 }
3754
3755 /* ----------

cvs HEAD is also affected:

Program received signal SIGSEGV, Segmentation fault.
parse_format (node=<value optimized out>, str=0x904742b "ay TMday TMDY TMDy
TMdy", kw=0x847b820, suf=0x0, index=0x847bb20,
ver=2, Num=0xbfdb57d4) at formatting.c:3473
3473 *ent->str = '\0';

(gdb) bt
#0 parse_format (node=<value optimized out>, str=0x904742b "ay TMday TMDY
TMDy TMdy", kw=0x847b820, suf=0x0,
index=0x847bb20, ver=2, Num=0xbfdb57d4) at formatting.c:3473
#1 0x082ff14a in NUM_cache (len=66, Num=0xbfdb57d4, pars_str=<value
optimized out>,
shouldFree=0xbfdb57fb
"\001�R\004\t<Xۿ�X\004\t\210Zۿ?\231\033\b<Xۿ`ZۿhYۿ��\003") at
formatting.c:3502
#2 0x08302db2 in int4_to_char (fcinfo=0xbfdb583c) at formatting.c:4706
#3 0x081b993f in ExecMakeFunctionResult (fcache=0x90452a8,
econtext=0x9045210,
isNull=0x9045880 "\177~\177\177\177\177\177\177��\003\t@",
isDone=0x90458e0) at execQual.c:1659
#4 0x081b43c5 in ExecProject (projInfo=0x9045894, isDone=0xbfdb5b08) at
execQual.c:4995
#5 0x081c8a94 in ExecResult (node=0x9045184) at nodeResult.c:155
#6 0x081b34ed in ExecProcNode (node=0x9045184) at execProcnode.c:344
#7 0x081b0e5b in standard_ExecutorRun (queryDesc=0x9044be4,
direction=ForwardScanDirection, count=0) at execMain.c:1504
#8 0x08273ecc in PortalRunSelect (portal=0x9042bdc, forward=1 '\001',
count=0, dest=0x8fff190) at pquery.c:953
#9 0x0827522e in PortalRun (portal=0x9042bdc, count=2147483647,
isTopLevel=1 '\001', dest=0x8fff190, altdest=0x8fff190,
completionTag=0xbfdb5d6a "") at pquery.c:807
#10 0x0826fe70 in exec_simple_query (
query_string=0x8ffdd2c "select to_char(0, 'TMMON TMMon TMmon TMMONTH
TMMonth TMDAY TMDay TMday TMDY TMDy TMdy');")
at postgres.c:991
#11 0x08271bd1 in PostgresMain (argc=4, argv=0x8f81b90, username=0x8f81b60
"seb") at postgres.c:3606
#12 0x0823bf0f in ServerLoop () at postmaster.c:3331
#13 0x0823ce80 in PostmasterMain (argc=5, argv=0x8f7fba0) at
postmaster.c:1054
#14 0x081dea86 in main (argc=5, argv=0x8f7fba0) at main.c:188

(gdb) list
3468 NUM_cache_remove(NUMCacheEntry *ent)
3469 {
3470 #ifdef DEBUG_TO_FROM_CHAR
3471 elog(DEBUG_elog_output, "REMOVING ENTRY (%s)", ent->str);
3472 #endif
3473 *ent->str = '\0';
3474 ent->age = 0;
3475 }
3476
3477 /* ----------