Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit55bfdd1

Browse files
committed
Fix array overrun in ecpg's version of ParseDateTime().
The code wrote a value into the caller's field[] array before checkingto see if there was room, which of course is backwards. Per report fromMichael Paquier.I fixed the equivalent bug in the backend's version of this code way backin630684d, but failed to think about ecpg's copy. Fortunatelythis doesn't look like it would be exploitable for anything worse than acore dump: an external attacker would have no control over the single wordthat gets written.
1 parent273b29d commit55bfdd1

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

‎src/interfaces/ecpg/pgtypeslib/dt_common.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1682,6 +1682,7 @@ DecodePosixTimezone(char *str, int *tzp)
16821682
*
16831683
* The "lowstr" work buffer must have at least strlen(timestr) + MAXDATEFIELDS
16841684
* bytes of space. On output, field[] entries will point into it.
1685+
* The field[] and ftype[] arrays must have at least MAXDATEFIELDS entries.
16851686
*/
16861687
int
16871688
ParseDateTime(char*timestr,char*lowstr,
@@ -1695,9 +1696,9 @@ ParseDateTime(char *timestr, char *lowstr,
16951696
while (*(*endstr)!='\0')
16961697
{
16971698
/* Record start of current field */
1698-
field[nf]=lp;
16991699
if (nf >=MAXDATEFIELDS)
17001700
return-1;
1701+
field[nf]=lp;
17011702

17021703
/* leading digit? then date or time */
17031704
if (isdigit((unsignedchar)*(*endstr)))

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp