Skip site navigation (1) Skip section navigation (2)

date_in and buffer overrun

From: Hitoshi Harada <umi(dot)tanuki(at)gmail(dot)com>
To: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: date_in and buffer overrun
Date: 2012-10-01 22:30:09
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
It seems date_in() has a risk of buffer overrun.  If the input is '.',
it sets field[0] to the beginning of workbuf and goes into
DecodeDate().  This function checks null-termination of the head of
string, but it can go beyond the end of string inside the first loop
and replace some bytes with zero.  The worst scenario we've seen is
overwrite of the stack frame, in which the compiler rearranged the
memory allocation of local variables in date_in() and work_buf is at
lower address than field.

I tried to attach a patch file but failed somehow, so I paste the fix here.


diff --git a/src/backend/utils/adt/datetime.c b/src/backend/utils/adt/datetime.c
index d827d7d..b81960a 100644
--- a/src/backend/utils/adt/datetime.c
+++ b/src/backend/utils/adt/datetime.c
@@ -2176,9 +2176,13 @@ DecodeDate(char *str, int fmask, int *tmask,
bool *is2digits,
        while (*str != '\0' && nf < MAXDATEFIELDS)
                /* skip field separators */
-               while (!isalnum((unsigned char) *str))
+               while (*str != '\0' && !isalnum((unsigned char) *str))

+               /* or it may not be what we expected... */
+               if (*str == '\0')
+                       return DTERR_BAD_FORMAT;
                field[nf] = str;
                if (isdigit((unsigned char) *str))

Hitoshi Harada


pgsql-hackers by date

Next:From: Hitoshi HaradaDate: 2012-10-01 22:34:17
Subject: Re: date_in and buffer overrun
Previous:From: Selena DeckelmannDate: 2012-10-01 21:28:45
Subject: Re: setting per-database/role parameters checks them against wrong context

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group