granicus.if.org Git - postgresql/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Fri, 6 May 2016 16:09:20 +0000 (12:09 -0400)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Fri, 6 May 2016 16:09:20 +0000 (12:09 -0400)
commit	11247dd99a6502799a3cb5fdbe1f5c2354862b1b
tree	95e8cf11a3cd55888f40b989301d5c0e1469586c	tree \| snapshot
parent	29d154e3687bc27d89ca88a9f184ce4f436b25bd	commit \| diff

Fix possible read past end of string in to_timestamp().

to_timestamp() handles the TH/th format codes by advancing over two input
characters, whatever those are.  It failed to notice whether there were
two characters available to be skipped, making it possible to advance
the pointer past the end of the input string and keep on parsing.
A similar risk existed in the handling of "Y,YYY" format: it would advance
over three characters after the "," whether or not three characters were
available.

In principle this might be exploitable to disclose contents of server
memory.  But the security team concluded that it would be very hard to use
that way, because the parsing loop would stop upon hitting any zero byte,
and TH/th format codes can't be consecutive --- they have to follow some
other format code, which would have to match whatever data is there.
So it seems impractical to examine memory very much beyond the end of the
input string via this bug; and the input string will always be in local
memory not in disk buffers, making it unlikely that anything very
interesting is close to it in a predictable way.  So this doesn't quite
rise to the level of needing a CVE.

Thanks to Wolf Roediger for reporting this bug.