Reject out-of-range numeric timezone specifications.

In commit 631dc390f49909a5c8ebd6002cfb2bcee5415a9d, we started to handle
simple numeric timezone offsets via the zic library instead of the old
CTimeZone/HasCTZSet kluge.  However, we overlooked the fact that the zic
code will reject UTC offsets exceeding a week (which seems a bit arbitrary,
but not because it's too tight ...).  This led to possibly setting
session_timezone to NULL, which results in crashes in most timezone-related
operations as of 9.4, and crashes in a small number of places even before
that.  So check for NULL return from pg_tzset_offset() and report an
appropriate error message.  Per bug #11014 from Duncan Gillis.

Back-patch to all supported branches, like the previous patch.
(Unfortunately, as of today that no longer includes 8.4.)

2 files changed, 10 insertions, 0 deletions

diff --git a/src/backend/commands/variable.c b/src/backend/commands/variable.c
index f299738d66b..40a991653d5 100644
--- a/src/backend/commands/variable.c
+++ b/src/backend/commands/variable.c
@@ -349,6 +349,13 @@ check_timezone(char **newval, void **extra, GucSource source)
 		}
 	}
 
+	/* Test for failure in pg_tzset_offset, which we assume is out-of-range */
+	if (!new_tz)
+	{
+		GUC_check_errdetail("UTC timezone offset is out of range.");
+		return false;
+	}
+
 	/*
 	 * Pass back data for assign_timezone to use
 	 */
diff --git a/src/timezone/pgtz.c b/src/timezone/pgtz.c
index 3bbe0a86b82..72aa409727d 100644
--- a/src/timezone/pgtz.c
+++ b/src/timezone/pgtz.c
@@ -296,6 +296,9 @@ pg_tzset(const char *name)
  * The GMT offset is specified in seconds, positive values meaning west of
  * Greenwich (ie, POSIX not ISO sign convention).  However, we use ISO
  * sign convention in the displayable abbreviation for the zone.
+ *
+ * Caution: this can fail (return NULL) if the specified offset is outside
+ * the range allowed by the zic library.
  */
 pg_tz *
 pg_tzset_offset(long gmtoffset)