granicus.if.org Git - postgresql/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Fri, 6 May 2016 16:09:20 +0000 (12:09 -0400)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Fri, 6 May 2016 16:09:20 +0000 (12:09 -0400)
commit	504af1fe0497bceb0421a63fd8ef18e069ae057a
tree	b095f4f42710e0d8a2c76e76582974042b9191cf	tree \| snapshot
parent	4edbb265cee0b468d444b4aabb1b236334f09c3a	commit \| diff

Fix possible read past end of string in to_timestamp().

to_timestamp() handles the TH/th format codes by advancing over two input
characters, whatever those are.  It failed to notice whether there were
two characters available to be skipped, making it possible to advance
the pointer past the end of the input string and keep on parsing.
A similar risk existed in the handling of "Y,YYY" format: it would advance
over three characters after the "," whether or not three characters were
available.

In principle this might be exploitable to disclose contents of server
memory.  But the security team concluded that it would be very hard to use
that way, because the parsing loop would stop upon hitting any zero byte,
and TH/th format codes can't be consecutive --- they have to follow some
other format code, which would have to match whatever data is there.
So it seems impractical to examine memory very much beyond the end of the
input string via this bug; and the input string will always be in local
memory not in disk buffers, making it unlikely that anything very
interesting is close to it in a predictable way.  So this doesn't quite
rise to the level of needing a CVE.

Thanks to Wolf Roediger for reporting this bug.