Security backport: CVE-2014-0063. Note that postgresql 8.1 had a bug in
date-time/interval precission output fixed by those two commits
208d3a75555 d1ab3eb7120. I edited the testsuite a little to enable this to
work with that bug (namely fix in expectation:
- @ 100000000 years 10 mons -1000000000 days -1000000000 hours -10 mins -10.000001 secs ago
+ @ 100000000 years 10 mons -1000000000 days -1000000000 hours -10 mins -10 secs ago
This length of output should be still good enough (it caused server failure
before).
Upstream comment:
Fix handling of wide datetime input/output.
Many server functions use the MAXDATELEN constant to size a buffer for
parsing or displaying a datetime value. It was much too small for the
longest possible interval output and slightly too small for certain
valid timestamp input, particularly input with a long timezone name.
The long input was rejected needlessly; the long output caused
interval_out() to overrun its buffer. ECPG's pgtypes library has a copy
of the vulnerable functions, which bore the same vulnerabilities along
with some of its own. In contrast to the server, certain long inputs
caused stack overflow rather than failing cleanly. Back-patch to 8.4
(all supported versions).
Reported by Daniel Schüssler, reviewed by Tom Lane.
diff --git a/src/include/utils/datetime.h b/src/include/utils/datetime.h
index e8e2653..3a28364 100644
--- a/src/include/utils/datetime.h
+++ b/src/include/utils/datetime.h
@@ -179,12 +179,17 @@
#define DTK_DATE_M (DTK_M(YEAR) | DTK_M(MONTH) | DTK_M(DAY))
#define DTK_TIME_M (DTK_M(HOUR) | DTK_M(MINUTE) | DTK_ALL_SECS_M)
-#define MAXDATELEN 51 /* maximum possible length of an input date
- * string (not counting tr. null) */
-#define MAXDATEFIELDS 25 /* maximum possible number of fields in a date
- * string */
-#define TOKMAXLEN 10 /* only this many chars are stored in
- * datetktbl */
+/*
+ * Working buffer size for input and output of interval, timestamp, etc.
+ * Inputs that need more working space will be rejected early. Longer outputs
+ * will overrun buffers, so this must suffice for all possible output. As of
+ * this writing, interval_out() needs the most space at ~90 bytes.
+ */
+#define MAXDATELEN 128
+/* maximum possible number of fields in a date string */
+#define MAXDATEFIELDS 25
+/* only this many chars are stored in datetktbl */
+#define TOKMAXLEN 10
/* keep this struct small; it gets used a lot */
typedef struct
diff --git a/src/interfaces/ecpg/pgtypeslib/datetime.c b/src/interfaces/ecpg/pgtypeslib/datetime.c
index 50e5e54..c53ca22 100644
--- a/src/interfaces/ecpg/pgtypeslib/datetime.c
+++ b/src/interfaces/ecpg/pgtypeslib/datetime.c
@@ -44,14 +44,14 @@ PGTYPESdate_from_asc(char *str, char **endptr)
int nf;
char *field[MAXDATEFIELDS];
int ftype[MAXDATEFIELDS];
- char lowstr[MAXDATELEN + 1];
+ char lowstr[MAXDATELEN + MAXDATEFIELDS];
char *realptr;
char **ptr = (endptr != NULL) ? endptr : &realptr;
bool EuroDates = FALSE;
errno = 0;
- if (strlen(str) >= sizeof(lowstr))
+ if (strlen(str) > MAXDATELEN)
{
errno = PGTYPES_DATE_BAD_DATE;
return INT_MIN;
diff --git a/src/interfaces/ecpg/pgtypeslib/dt.h b/src/interfaces/ecpg/pgtypeslib/dt.h
index f8eefa9..c1d5df3 100644
--- a/src/interfaces/ecpg/pgtypeslib/dt.h
+++ b/src/interfaces/ecpg/pgtypeslib/dt.h
@@ -166,12 +166,17 @@ typedef double fsec_t;
#define DTK_DATE_M (DTK_M(YEAR) | DTK_M(MONTH) | DTK_M(DAY))
#define DTK_TIME_M (DTK_M(HOUR) | DTK_M(MINUTE) | DTK_M(SECOND))
-#define MAXDATELEN 51 /* maximum possible length of an input date
- * string (not counting tr. null) */
-#define MAXDATEFIELDS 25 /* maximum possible number of fields in a date
- * string */
-#define TOKMAXLEN 10 /* only this many chars are stored in
- * datetktbl */
+/*
+ * Working buffer size for input and output of interval, timestamp, etc.
+ * Inputs that need more working space will be rejected early. Longer outputs
+ * will overrun buffers, so this must suffice for all possible output. As of
+ * this writing, PGTYPESinterval_to_asc() needs the most space at ~90 bytes.
+ */
+#define MAXDATELEN 128
+/* maximum possible number of fields in a date string */
+#define MAXDATEFIELDS 25
+/* only this many chars are stored in datetktbl */
+#define TOKMAXLEN 10
/* keep this struct small; it gets used a lot */
typedef struct
diff --git a/src/interfaces/ecpg/pgtypeslib/dt_common.c b/src/interfaces/ecpg/pgtypeslib/dt_common.c
index 0d5f0cd..d080e9a 100644
--- a/src/interfaces/ecpg/pgtypeslib/dt_common.c
+++ b/src/interfaces/ecpg/pgtypeslib/dt_common.c
@@ -1136,15 +1136,22 @@ DecodeNumberField(int len, char *str, int fmask,
if ((cp = strchr(str, '.')) != NULL)
{
#ifdef HAVE_INT64_TIMESTAMP
- char fstr[MAXDATELEN + 1];
+ char fstr[7];
+ int i;
+
+ cp++;
/*
* OK, we have at most six digits to care about. Let's construct a
- * string and then do the conversion to an integer.
+ * string with those digits, zero-padded on the right, and then do
+ * the conversion to an integer.
+ *
+ * XXX This truncates the seventh digit, unlike rounding it as do
+ * the backend and the !HAVE_INT64_TIMESTAMP case.
*/
- strcpy(fstr, (cp + 1));
- strcpy(fstr + strlen(fstr), "000000");
- *(fstr + 6) = '\0';
+ for (i = 0; i < 6; i++)
+ fstr[i] = *cp != '\0' ? *cp++ : '0';
+ fstr[i] = '\0';
*fsec = strtol(fstr, NULL, 10);
#else
*fsec = strtod(cp, NULL);
@@ -1496,15 +1503,22 @@ DecodeTime(char *str, int fmask, int *tmask, struct tm * tm, fsec_t *fsec)
else if (*cp == '.')
{
#ifdef HAVE_INT64_TIMESTAMP
- char fstr[MAXDATELEN + 1];
+ char fstr[7];
+ int i;
+
+ cp++;
/*
- * OK, we have at most six digits to work with. Let's construct a
- * string and then do the conversion to an integer.
+ * OK, we have at most six digits to care about. Let's construct a
+ * string with those digits, zero-padded on the right, and then do
+ * the conversion to an integer.
+ *
+ * XXX This truncates the seventh digit, unlike rounding it as do
+ * the backend and the !HAVE_INT64_TIMESTAMP case.
*/
- strncpy(fstr, (cp + 1), 7);
- strcpy(fstr + strlen(fstr), "000000");
- *(fstr + 6) = '\0';
+ for (i = 0; i < 6; i++)
+ fstr[i] = *cp != '\0' ? *cp++ : '0';
+ fstr[i] = '\0';
*fsec = strtol(fstr, &cp, 10);
#else
str = cp;
@@ -1630,6 +1644,9 @@ DecodePosixTimezone(char *str, int *tzp)
* DTK_NUMBER can hold date fields (yy.ddd)
* DTK_STRING can hold months (January) and time zones (PST)
* DTK_DATE can hold Posix time zones (GMT-8)
+ *
+ * The "lowstr" work buffer must have at least strlen(timestr) + MAXDATEFIELDS
+ * bytes of space. On output, field[] entries will point into it.
*/
int
ParseDateTime(char *timestr, char *lowstr,
@@ -1642,7 +1659,10 @@ ParseDateTime(char *timestr, char *lowstr,
/* outer loop through fields */
while (*(*endstr) != '\0')
{
+ /* Record start of current field */
field[nf] = lp;
+ if (nf >= MAXDATEFIELDS)
+ return -1;
/* leading digit? then date or time */
if (isdigit((unsigned char) *(*endstr)))
@@ -1783,8 +1803,6 @@ ParseDateTime(char *timestr, char *lowstr,
/* force in a delimiter after each field */
*lp++ = '\0';
nf++;
- if (nf > MAXDATEFIELDS)
- return -1;
}
*numfields = nf;
diff --git a/src/interfaces/ecpg/pgtypeslib/interval.c b/src/interfaces/ecpg/pgtypeslib/interval.c
index fd915bb..4f0b70f 100644
--- a/src/interfaces/ecpg/pgtypeslib/interval.c
+++ b/src/interfaces/ecpg/pgtypeslib/interval.c
@@ -760,7 +760,7 @@ PGTYPESinterval_from_asc(char *str, char **endptr)
tm->tm_sec = 0;
fsec = 0;
- if (strlen(str) >= sizeof(lowstr))
+ if (strlen(str) > MAXDATELEN)
{
errno = PGTYPES_INTVL_BAD_INTERVAL;
return NULL;
diff --git a/src/interfaces/ecpg/pgtypeslib/timestamp.c b/src/interfaces/ecpg/pgtypeslib/timestamp.c
index 681d901..2ba6725 100644
--- a/src/interfaces/ecpg/pgtypeslib/timestamp.c
+++ b/src/interfaces/ecpg/pgtypeslib/timestamp.c
@@ -317,7 +317,7 @@ PGTYPEStimestamp_from_asc(char *str, char **endptr)
char *realptr;
char **ptr = (endptr != NULL) ? endptr : &realptr;
- if (strlen(str) >= sizeof(lowstr))
+ if (strlen(str) > MAXDATELEN)
{
errno = PGTYPES_TS_BAD_TIMESTAMP;
return (noresult);
diff --git a/src/test/regress/expected/interval.out b/src/test/regress/expected/interval.out
index 0a54b06..0687582 100644
--- a/src/test/regress/expected/interval.out
+++ b/src/test/regress/expected/interval.out
@@ -228,6 +228,13 @@ select '4 millenniums 5 centuries 4 decades 1 year 4 months 4 days 17 minutes 31
@ 4541 years 4 mons 4 days 17 mins 31 secs
(1 row)
+-- test long interval output
+select '100000000y 10mon -1000000000d -1000000000h -10min -10.000001s ago'::interval;
+ interval
+------------------------------------------------------------------------------------
+ @ 100000000 years 10 mons -1000000000 days -1000000000 hours -10 mins -10 secs ago
+(1 row)
+
-- test justify_hours() and justify_days()
SELECT justify_hours(interval '6 months 3 days 52 hours 3 minutes 2 seconds') as "6 mons 5 days 4 hours 3 mins 2 seconds";
6 mons 5 days 4 hours 3 mins 2 seconds
diff --git a/src/test/regress/sql/interval.sql b/src/test/regress/sql/interval.sql
index 540b887..f027f4b 100644
--- a/src/test/regress/sql/interval.sql
+++ b/src/test/regress/sql/interval.sql
@@ -70,6 +70,8 @@ select avg(f1) from interval_tbl;
-- test long interval input
select '4 millenniums 5 centuries 4 decades 1 year 4 months 4 days 17 minutes 31 seconds'::interval;
+-- test long interval output
+select '100000000y 10mon -1000000000d -1000000000h -10min -10.000001s ago'::interval;
-- test justify_hours() and justify_days()
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
d3c4bfd951c25dab3d8c83571c73f957
>
files
>
23
