rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix array overrun in ecpg's version of ParseDateTime(). 

The code wrote a value into the caller's field[] array before checking
to see if there was room, which of course is backwards.  Per report from
Michael Paquier.

I fixed the equivalent bug in the backend's version of this code way back
in 630684d3a1, but failed to think about ecpg's copy.  Fortunately
this doesn't look like it would be exploitable for anything worse than a
core dump: an external attacker would have no control over the single word
that gets written.
This commit is contained in:
Tom Lane 2014-10-06 21:23:20 -04:00
parent 273b29dbe9
commit 55bfdd1cfd
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/interfaces/ecpg/pgtypeslib/dt_common.c
View File

@ -1682,6 +1682,7 @@ DecodePosixTimezone(char *str, int *tzp)
*
* The "lowstr" work buffer must have at least strlen(timestr) + MAXDATEFIELDS
* bytes of space. On output, field[] entries will point into it.
* The field[] and ftype[] arrays must have at least MAXDATEFIELDS entries.
*/
int
ParseDateTime(char *timestr, char *lowstr,
@ -1695,9 +1696,9 @@ ParseDateTime(char *timestr, char *lowstr,
while (*(*endstr) != '\0')
{
/* Record start of current field */
field[nf] = lp;
if (nf >= MAXDATEFIELDS)
return -1;
field[nf] = lp;
/* leading digit? then date or time */
if (isdigit((unsigned char) *(*endstr)))