Fix array overrun in ecpg's version of ParseDateTime().
The code wrote a value into the caller's field[] array before checking
to see if there was room, which of course is backwards. Per report from
Michael Paquier.
I fixed the equivalent bug in the backend's version of this code way back
in 630684d3a1
, but failed to think about ecpg's copy. Fortunately
this doesn't look like it would be exploitable for anything worse than a
core dump: an external attacker would have no control over the single word
that gets written.
This commit is contained in:
parent
273b29dbe9
commit
55bfdd1cfd
|
@ -1682,6 +1682,7 @@ DecodePosixTimezone(char *str, int *tzp)
|
||||||
*
|
*
|
||||||
* The "lowstr" work buffer must have at least strlen(timestr) + MAXDATEFIELDS
|
* The "lowstr" work buffer must have at least strlen(timestr) + MAXDATEFIELDS
|
||||||
* bytes of space. On output, field[] entries will point into it.
|
* bytes of space. On output, field[] entries will point into it.
|
||||||
|
* The field[] and ftype[] arrays must have at least MAXDATEFIELDS entries.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
ParseDateTime(char *timestr, char *lowstr,
|
ParseDateTime(char *timestr, char *lowstr,
|
||||||
|
@ -1695,9 +1696,9 @@ ParseDateTime(char *timestr, char *lowstr,
|
||||||
while (*(*endstr) != '\0')
|
while (*(*endstr) != '\0')
|
||||||
{
|
{
|
||||||
/* Record start of current field */
|
/* Record start of current field */
|
||||||
field[nf] = lp;
|
|
||||||
if (nf >= MAXDATEFIELDS)
|
if (nf >= MAXDATEFIELDS)
|
||||||
return -1;
|
return -1;
|
||||||
|
field[nf] = lp;
|
||||||
|
|
||||||
/* leading digit? then date or time */
|
/* leading digit? then date or time */
|
||||||
if (isdigit((unsigned char) *(*endstr)))
|
if (isdigit((unsigned char) *(*endstr)))
|
||||||
|
|
Loading…
Reference in New Issue