NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit504af1f

committed

Fix possible read past end of string in to_timestamp().

to_timestamp() handles the TH/th format codes by advancing over two inputcharacters, whatever those are. It failed to notice whether there weretwo characters available to be skipped, making it possible to advancethe pointer past the end of the input string and keep on parsing.A similar risk existed in the handling of "Y,YYY" format: it would advanceover three characters after the "," whether or not three characters wereavailable.In principle this might be exploitable to disclose contents of servermemory. But the security team concluded that it would be very hard to usethat way, because the parsing loop would stop upon hitting any zero byte,and TH/th format codes can't be consecutive --- they have to follow someother format code, which would have to match whatever data is there.So it seems impractical to examine memory very much beyond the end of theinput string via this bug; and the input string will always be in localmemory not in disk buffers, making it unlikely that anything veryinteresting is close to it in a predictable way. So this doesn't quiterise to the level of needing a CVE.Thanks to Wolf Roediger for reporting this bug.

1 parent4edbb26 commit504af1fCopy full SHA for 504af1f

File tree

1 file changed

+39

-45

lines changed

src/backend/utils/adt
- formatting.c

1 file changed

+39

-45

lines changed

`‎src/backend/utils/adt/formatting.c`

Lines changed: 39 additions & 45 deletions

Original file line number	Diff line number	Diff line change
`@@ -964,7 +964,6 @@ static const char get_th(char num, int type);`
`964`	`964`	`staticcharstr_numth(chardest,char*num,inttype);`
`965`	`965`	`staticintadjust_partial_year_to_2020(intyear);`
`966`	`966`	`staticintstrspace_len(char*str);`
`967`		`-staticintstrdigits_len(char*str);`
`968`	`967`	`staticvoidfrom_char_set_mode(TmFromChar*tmfc,constFromCharDateModemode);`
`969`	`968`	`staticvoidfrom_char_set_int(intdest,constintvalue,constFormatNodenode);`
`970`	`969`	`staticintfrom_char_parse_int_len(intdest,charsrc,constintlen,FormatNodenode);`
`@@ -1976,9 +1975,19 @@ asc_toupper_z(const char *buff)`
`1976`	`1975`
`1977`	`1976`	`/* ----------`
`1978`	`1977`	`* Skip TM / th in FROM_CHAR`
	`1978`	`+ *`
	`1979`	`+ * If S_THth is on, skip two chars, assuming there are two available`
`1979`	`1980`	`* ----------`
`1980`	`1981`	`*/`
`1981`		`-#defineSKIP_THth(_suf)(S_THth(_suf) ? 2 : 0)`
	`1982`	`+#defineSKIP_THth(ptr,_suf) \`
	`1983`	`+do { \`
	`1984`	`+if (S_THth(_suf)) \`
	`1985`	`+{ \`
	`1986`	`+if (*(ptr)) (ptr)++; \`
	`1987`	`+if (*(ptr)) (ptr)++; \`
	`1988`	`+} \`
	`1989`	`+} while (0)`
	`1990`	`+`
`1982`	`1991`
`1983`	`1992`	`#ifdefDEBUG_TO_FROM_CHAR`
`1984`	`1993`	`/* -----------`
`@@ -2086,23 +2095,6 @@ strspace_len(char *str)`
`2086`	`2095`	`returnlen;`
`2087`	`2096`	`}`
`2088`	`2097`
`2089`		`-staticint`
`2090`		`-strdigits_len(char*str)`
`2091`		`-{`
`2092`		`-char*p=str;`
`2093`		`-intlen;`
`2094`		`-`
`2095`		`-len=strspace_len(str);`
`2096`		`-p+=len;`
`2097`		`-`
`2098`		`-while (p&&isdigit((unsignedchar)p)&&len <=DCH_MAX_ITEM_SIZ)`
`2099`		`-{`
`2100`		`-len++;`
`2101`		`-p++;`
`2102`		`-}`
`2103`		`-returnlen;`
`2104`		`-}`
`2105`		`-`
`2106`	`2098`	`/*`
`2107`	`2099`	`* Set the date mode of a from-char conversion.`
`2108`	`2100`	`*`
`@@ -3000,19 +2992,19 @@ DCH_from_char(FormatNode node, char in, TmFromChar *out)`
`3000`	`2992`	`caseDCH_HH12:`
`3001`	`2993`	`from_char_parse_int_len(&out->hh,&s,2,n);`
`3002`	`2994`	`out->clock=CLOCK_12_HOUR;`
`3003`		`-s+=SKIP_THth(n->suffix);`
	`2995`	`+SKIP_THth(s,n->suffix);`
`3004`	`2996`	`break;`
`3005`	`2997`	`caseDCH_HH24:`
`3006`	`2998`	`from_char_parse_int_len(&out->hh,&s,2,n);`
`3007`		`-s+=SKIP_THth(n->suffix);`
	`2999`	`+SKIP_THth(s,n->suffix);`
`3008`	`3000`	`break;`
`3009`	`3001`	`caseDCH_MI:`
`3010`	`3002`	`from_char_parse_int(&out->mi,&s,n);`
`3011`		`-s+=SKIP_THth(n->suffix);`
	`3003`	`+SKIP_THth(s,n->suffix);`
`3012`	`3004`	`break;`
`3013`	`3005`	`caseDCH_SS:`
`3014`	`3006`	`from_char_parse_int(&out->ss,&s,n);`
`3015`		`-s+=SKIP_THth(n->suffix);`
	`3007`	`+SKIP_THth(s,n->suffix);`
`3016`	`3008`	`break;`
`3017`	`3009`	`caseDCH_MS:/* millisecond */`
`3018`	`3010`	`len=from_char_parse_int_len(&out->ms,&s,3,n);`
`@@ -3023,7 +3015,7 @@ DCH_from_char(FormatNode node, char in, TmFromChar *out)`
`3023`	`3015`	`out->ms *=len==1 ?100 :`
`3024`	`3016`	`len==2 ?10 :1;`
`3025`	`3017`
`3026`		`-s+=SKIP_THth(n->suffix);`
	`3018`	`+SKIP_THth(s,n->suffix);`
`3027`	`3019`	`break;`
`3028`	`3020`	`caseDCH_US:/* microsecond */`
`3029`	`3021`	`len=from_char_parse_int_len(&out->us,&s,6,n);`
`@@ -3034,11 +3026,11 @@ DCH_from_char(FormatNode node, char in, TmFromChar *out)`
`3034`	`3026`	`len==4 ?100 :`
`3035`	`3027`	`len==5 ?10 :1;`
`3036`	`3028`
`3037`		`-s+=SKIP_THth(n->suffix);`
	`3029`	`+SKIP_THth(s,n->suffix);`
`3038`	`3030`	`break;`
`3039`	`3031`	`caseDCH_SSSS:`
`3040`	`3032`	`from_char_parse_int(&out->ssss,&s,n);`
`3041`		`-s+=SKIP_THth(n->suffix);`
	`3033`	`+SKIP_THth(s,n->suffix);`
`3042`	`3034`	`break;`
`3043`	`3035`	`caseDCH_tz:`
`3044`	`3036`	`caseDCH_TZ:`
`@@ -3078,7 +3070,7 @@ DCH_from_char(FormatNode node, char in, TmFromChar *out)`
`3078`	`3070`	`break;`
`3079`	`3071`	`caseDCH_MM:`
`3080`	`3072`	`from_char_parse_int(&out->mm,&s,n);`
`3081`		`-s+=SKIP_THth(n->suffix);`
	`3073`	`+SKIP_THth(s,n->suffix);`
`3082`	`3074`	`break;`
`3083`	`3075`	`caseDCH_DAY:`
`3084`	`3076`	`caseDCH_Day:`
`@@ -3098,31 +3090,31 @@ DCH_from_char(FormatNode node, char in, TmFromChar *out)`
`3098`	`3090`	`break;`
`3099`	`3091`	`caseDCH_DDD:`
`3100`	`3092`	`from_char_parse_int(&out->ddd,&s,n);`
`3101`		`-s+=SKIP_THth(n->suffix);`
	`3093`	`+SKIP_THth(s,n->suffix);`
`3102`	`3094`	`break;`
`3103`	`3095`	`caseDCH_IDDD:`
`3104`	`3096`	`from_char_parse_int_len(&out->ddd,&s,3,n);`
`3105`		`-s+=SKIP_THth(n->suffix);`
	`3097`	`+SKIP_THth(s,n->suffix);`
`3106`	`3098`	`break;`
`3107`	`3099`	`caseDCH_DD:`
`3108`	`3100`	`from_char_parse_int(&out->dd,&s,n);`
`3109`		`-s+=SKIP_THth(n->suffix);`
	`3101`	`+SKIP_THth(s,n->suffix);`
`3110`	`3102`	`break;`
`3111`	`3103`	`caseDCH_D:`
`3112`	`3104`	`from_char_parse_int(&out->d,&s,n);`
`3113`		`-s+=SKIP_THth(n->suffix);`
	`3105`	`+SKIP_THth(s,n->suffix);`
`3114`	`3106`	`break;`
`3115`	`3107`	`caseDCH_ID:`
`3116`	`3108`	`from_char_parse_int_len(&out->d,&s,1,n);`
`3117`	`3109`	`/* Shift numbering to match Gregorian where Sunday = 1 */`
`3118`	`3110`	`if (++out->d>7)`
`3119`	`3111`	`out->d=1;`
`3120`		`-s+=SKIP_THth(n->suffix);`
	`3112`	`+SKIP_THth(s,n->suffix);`
`3121`	`3113`	`break;`
`3122`	`3114`	`caseDCH_WW:`
`3123`	`3115`	`caseDCH_IW:`
`3124`	`3116`	`from_char_parse_int(&out->ww,&s,n);`
`3125`		`-s+=SKIP_THth(n->suffix);`
	`3117`	`+SKIP_THth(s,n->suffix);`
`3126`	`3118`	`break;`
`3127`	`3119`	`caseDCH_Q:`
`3128`	`3120`
`@@ -3137,55 +3129,57 @@ DCH_from_char(FormatNode node, char in, TmFromChar *out)`
`3137`	`3129`	`* isn't stored anywhere in 'out'.`
`3138`	`3130`	`*/`
`3139`	`3131`	`from_char_parse_int((int*)NULL,&s,n);`
`3140`		`-s+=SKIP_THth(n->suffix);`
	`3132`	`+SKIP_THth(s,n->suffix);`
`3141`	`3133`	`break;`
`3142`	`3134`	`caseDCH_CC:`
`3143`	`3135`	`from_char_parse_int(&out->cc,&s,n);`
`3144`		`-s+=SKIP_THth(n->suffix);`
	`3136`	`+SKIP_THth(s,n->suffix);`
`3145`	`3137`	`break;`
`3146`	`3138`	`caseDCH_Y_YYY:`
`3147`	`3139`	`{`
`3148`	`3140`	`intmatched,`
`3149`	`3141`	`years,`
`3150`		`-millenia;`
	`3142`	`+millenia,`
	`3143`	`+nch;`
`3151`	`3144`
`3152`		`-matched=sscanf(s,"%d,%03d",&millenia,&years);`
`3153`		`-if (matched!=2)`
	`3145`	`+matched=sscanf(s,"%d,%03d%n",&millenia,&years,&nch);`
	`3146`	`+if (matched<2)`
`3154`	`3147`	`ereport(ERROR,`
`3155`	`3148`	`(errcode(ERRCODE_INVALID_DATETIME_FORMAT),`
`3156`	`3149`	`errmsg("invalid input string for \"Y,YYY\"")));`
`3157`	`3150`	`years+= (millenia*1000);`
`3158`	`3151`	`from_char_set_int(&out->year,years,n);`
`3159`	`3152`	`out->yysz=4;`
`3160`		`-s+=strdigits_len(s)+4+SKIP_THth(n->suffix);`
	`3153`	`+s+=nch;`
	`3154`	`+SKIP_THth(s,n->suffix);`
`3161`	`3155`	`}`
`3162`	`3156`	`break;`
`3163`	`3157`	`caseDCH_YYYY:`
`3164`	`3158`	`caseDCH_IYYY:`
`3165`	`3159`	`from_char_parse_int(&out->year,&s,n);`
`3166`	`3160`	`out->yysz=4;`
`3167`		`-s+=SKIP_THth(n->suffix);`
	`3161`	`+SKIP_THth(s,n->suffix);`
`3168`	`3162`	`break;`
`3169`	`3163`	`caseDCH_YYY:`
`3170`	`3164`	`caseDCH_IYY:`
`3171`	`3165`	`if (from_char_parse_int(&out->year,&s,n)<4)`
`3172`	`3166`	`out->year=adjust_partial_year_to_2020(out->year);`
`3173`	`3167`	`out->yysz=3;`
`3174`		`-s+=SKIP_THth(n->suffix);`
	`3168`	`+SKIP_THth(s,n->suffix);`
`3175`	`3169`	`break;`
`3176`	`3170`	`caseDCH_YY:`
`3177`	`3171`	`caseDCH_IY:`
`3178`	`3172`	`if (from_char_parse_int(&out->year,&s,n)<4)`
`3179`	`3173`	`out->year=adjust_partial_year_to_2020(out->year);`
`3180`	`3174`	`out->yysz=2;`
`3181`		`-s+=SKIP_THth(n->suffix);`
	`3175`	`+SKIP_THth(s,n->suffix);`
`3182`	`3176`	`break;`
`3183`	`3177`	`caseDCH_Y:`
`3184`	`3178`	`caseDCH_I:`
`3185`	`3179`	`if (from_char_parse_int(&out->year,&s,n)<4)`
`3186`	`3180`	`out->year=adjust_partial_year_to_2020(out->year);`
`3187`	`3181`	`out->yysz=1;`
`3188`		`-s+=SKIP_THth(n->suffix);`
	`3182`	`+SKIP_THth(s,n->suffix);`
`3189`	`3183`	`break;`
`3190`	`3184`	`caseDCH_RM:`
`3191`	`3185`	`from_char_seq_search(&value,&s,rm_months_upper,`
`@@ -3199,11 +3193,11 @@ DCH_from_char(FormatNode node, char in, TmFromChar *out)`
`3199`	`3193`	`break;`
`3200`	`3194`	`caseDCH_W:`
`3201`	`3195`	`from_char_parse_int(&out->w,&s,n);`
`3202`		`-s+=SKIP_THth(n->suffix);`
	`3196`	`+SKIP_THth(s,n->suffix);`
`3203`	`3197`	`break;`
`3204`	`3198`	`caseDCH_J:`
`3205`	`3199`	`from_char_parse_int(&out->j,&s,n);`
`3206`		`-s+=SKIP_THth(n->suffix);`
	`3200`	`+SKIP_THth(s,n->suffix);`
`3207`	`3201`	`break;`
`3208`	`3202`	`}`
`3209`	`3203`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit504af1f

File tree

1 file changed

1 file changed

`‎src/backend/utils/adt/formatting.c`

0 commit comments