summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 525510a)
raw | patch | inline | side by side (parent: 525510a)
| author | Tom Lane <tgl@sss.pgh.pa.us> | |
| Tue, 7 Oct 2014 01:23:20 +0000 (21:23 -0400) | ||
| committer | Tom Lane <tgl@sss.pgh.pa.us> | |
| Tue, 7 Oct 2014 01:23:45 +0000 (21:23 -0400) |
The code wrote a value into the caller's field[] array before checking
to see if there was room, which of course is backwards. Per report from
Michael Paquier.
I fixed the equivalent bug in the backend's version of this code way back
in 630684d3a130bb93, but failed to think about ecpg's copy. Fortunately
this doesn't look like it would be exploitable for anything worse than a
core dump: an external attacker would have no control over the single word
that gets written.
to see if there was room, which of course is backwards. Per report from
Michael Paquier.
I fixed the equivalent bug in the backend's version of this code way back
in 630684d3a130bb93, but failed to think about ecpg's copy. Fortunately
this doesn't look like it would be exploitable for anything worse than a
core dump: an external attacker would have no control over the single word
that gets written.
| src/interfaces/ecpg/pgtypeslib/dt_common.c | patch | blob | blame | history |
diff --git a/src/interfaces/ecpg/pgtypeslib/dt_common.c b/src/interfaces/ecpg/pgtypeslib/dt_common.c
index be7e99631439519b1cb63b1c3e344574510fbc44..123561c4824ba051d52c6be49ec3c0959f5d41c6 100644 (file)
*
* The "lowstr" work buffer must have at least strlen(timestr) + MAXDATEFIELDS
* bytes of space. On output, field[] entries will point into it.
+ * The field[] and ftype[] arrays must have at least MAXDATEFIELDS entries.
*/
int
ParseDateTime(char *timestr, char *lowstr,
while (*(*endstr) != '\0')
{
/* Record start of current field */
- field[nf] = lp;
if (nf >= MAXDATEFIELDS)
return -1;
+ field[nf] = lp;
/* leading digit? then date or time */
if (isdigit((unsigned char) *(*endstr)))