aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorTom Lane <tgl@sss.pgh.pa.us>2014-10-06 21:23:20 -0400
committerTom Lane <tgl@sss.pgh.pa.us>2014-10-06 21:23:20 -0400
commit55bfdd1cfd991af0864535bbca24a606e8be7e45 (patch)
tree7c2d0f284d0faf1d0c44af07c37e9d66b5d34055 /src
parent273b29dbe96b1584dd66615cf8dc83e7e6ae7386 (diff)
downloadpostgresql-55bfdd1cfd991af0864535bbca24a606e8be7e45.tar.gz
postgresql-55bfdd1cfd991af0864535bbca24a606e8be7e45.zip
Fix array overrun in ecpg's version of ParseDateTime().
The code wrote a value into the caller's field[] array before checking to see if there was room, which of course is backwards. Per report from Michael Paquier. I fixed the equivalent bug in the backend's version of this code way back in 630684d3a130bb93, but failed to think about ecpg's copy. Fortunately this doesn't look like it would be exploitable for anything worse than a core dump: an external attacker would have no control over the single word that gets written.
Diffstat (limited to 'src')
-rw-r--r--src/interfaces/ecpg/pgtypeslib/dt_common.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/interfaces/ecpg/pgtypeslib/dt_common.c b/src/interfaces/ecpg/pgtypeslib/dt_common.c
index 7ca4dd51ce0..2286acd428f 100644
--- a/src/interfaces/ecpg/pgtypeslib/dt_common.c
+++ b/src/interfaces/ecpg/pgtypeslib/dt_common.c
@@ -1682,6 +1682,7 @@ DecodePosixTimezone(char *str, int *tzp)
*
* The "lowstr" work buffer must have at least strlen(timestr) + MAXDATEFIELDS
* bytes of space. On output, field[] entries will point into it.
+ * The field[] and ftype[] arrays must have at least MAXDATEFIELDS entries.
*/
int
ParseDateTime(char *timestr, char *lowstr,
@@ -1695,9 +1696,9 @@ ParseDateTime(char *timestr, char *lowstr,
while (*(*endstr) != '\0')
{
/* Record start of current field */
- field[nf] = lp;
if (nf >= MAXDATEFIELDS)
return -1;
+ field[nf] = lp;
/* leading digit? then date or time */
if (isdigit((unsigned char) *(*endstr)))