granicus.if.org Git - postgresql/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Fri, 6 May 2016 16:09:20 +0000 (12:09 -0400)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Fri, 6 May 2016 16:09:20 +0000 (12:09 -0400)
commit	462456d8d08339cbceb0cd3dad32bdddb0531ba5
tree	54a54043cb15b0427f5d8b0fbf082eae84c7aa0a	tree \| snapshot
parent	d30c67af801dd4d380657d24a3211cfd4e0c4823	commit \| diff

Fix possible read past end of string in to_timestamp().

to_timestamp() handles the TH/th format codes by advancing over two input
characters, whatever those are.  It failed to notice whether there were
two characters available to be skipped, making it possible to advance
the pointer past the end of the input string and keep on parsing.
A similar risk existed in the handling of "Y,YYY" format: it would advance
over three characters after the "," whether or not three characters were
available.

In principle this might be exploitable to disclose contents of server
memory.  But the security team concluded that it would be very hard to use
that way, because the parsing loop would stop upon hitting any zero byte,
and TH/th format codes can't be consecutive --- they have to follow some
other format code, which would have to match whatever data is there.
So it seems impractical to examine memory very much beyond the end of the
input string via this bug; and the input string will always be in local
memory not in disk buffers, making it unlikely that anything very
interesting is close to it in a predictable way.  So this doesn't quite
rise to the level of needing a CVE.

Thanks to Wolf Roediger for reporting this bug.