Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit037b912

Browse files
committed
Fix array overrun in ecpg's version of ParseDateTime().
The code wrote a value into the caller's field[] array before checkingto see if there was room, which of course is backwards. Per report fromMichael Paquier.I fixed the equivalent bug in the backend's version of this code way backin630684d, but failed to think about ecpg's copy. Fortunatelythis doesn't look like it would be exploitable for anything worse than acore dump: an external attacker would have no control over the single wordthat gets written.
1 parent525510a commit037b912

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

‎src/interfaces/ecpg/pgtypeslib/dt_common.c‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1675,6 +1675,7 @@ DecodePosixTimezone(char *str, int *tzp)
16751675
*
16761676
* The "lowstr" work buffer must have at least strlen(timestr) + MAXDATEFIELDS
16771677
* bytes of space. On output, field[] entries will point into it.
1678+
* The field[] and ftype[] arrays must have at least MAXDATEFIELDS entries.
16781679
*/
16791680
int
16801681
ParseDateTime(char*timestr,char*lowstr,
@@ -1688,9 +1689,9 @@ ParseDateTime(char *timestr, char *lowstr,
16881689
while (*(*endstr)!='\0')
16891690
{
16901691
/* Record start of current field */
1691-
field[nf]=lp;
16921692
if (nf >=MAXDATEFIELDS)
16931693
return-1;
1694+
field[nf]=lp;
16941695

16951696
/* leading digit? then date or time */
16961697
if (isdigit((unsignedchar)*(*endstr)))

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp