Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitd9a1e9d

Browse files
committed
Fix array overrun in ecpg's version of ParseDateTime().
The code wrote a value into the caller's field[] array before checkingto see if there was room, which of course is backwards. Per report fromMichael Paquier.I fixed the equivalent bug in the backend's version of this code way backin630684d, but failed to think about ecpg's copy. Fortunatelythis doesn't look like it would be exploitable for anything worse than acore dump: an external attacker would have no control over the single wordthat gets written.
1 parent64a6285 commitd9a1e9d

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

‎src/interfaces/ecpg/pgtypeslib/dt_common.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1672,6 +1672,7 @@ DecodePosixTimezone(char *str, int *tzp)
16721672
*
16731673
* The "lowstr" work buffer must have at least strlen(timestr) + MAXDATEFIELDS
16741674
* bytes of space. On output, field[] entries will point into it.
1675+
* The field[] and ftype[] arrays must have at least MAXDATEFIELDS entries.
16751676
*/
16761677
int
16771678
ParseDateTime(char*timestr,char*lowstr,
@@ -1685,9 +1686,9 @@ ParseDateTime(char *timestr, char *lowstr,
16851686
while (*(*endstr)!='\0')
16861687
{
16871688
/* Record start of current field */
1688-
field[nf]=lp;
16891689
if (nf >=MAXDATEFIELDS)
16901690
return-1;
1691+
field[nf]=lp;
16911692

16921693
/* leading digit? then date or time */
16931694
if (isdigit((unsignedchar)*(*endstr)))

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp