Обсуждение: BUG #18614: [ECPG] out of bound in DecodeDateTime
The following bug has been logged on the website:
Bug reference: 18614
Logged by: Pavel Nekrasov
Email address: p.nekrasov@fobos-nt.ru
PostgreSQL version: 17rc1
Operating system: Alt 10
Description:
in the line ```if (tm->tm_mday < 1 || tm->tm_mday >
day_tab[isleap(tm->tm_year)][tm->tm_mon - 1]) ``` tm->tm_mon may be equal to
0, which will result in reading by indexes -1
this is possible when calling PGTYPESdate_from_asc or
PGTYPEStimestamp_from_asc with "str" equal, for example, "AM95000062"
Patch:
--- a/src/interfaces/ecpg/pgtypeslib/dt_common.c
+++ b/src/interfaces/ecpg/pgtypeslib/dt_common.c
@@ -2327,10 +2327,9 @@ DecodeDateTime(char **field, int *ftype, int nf,
return ((fmask & DTK_TIME_M) == DTK_TIME_M) ? 1 : -1;
/*
- * check for valid day of month, now that we know for sure the month
- * and year...
+ * check for valid day of month and month, now that we know for sure the
year...
*/
- if (tm->tm_mday < 1 || tm->tm_mday >
day_tab[isleap(tm->tm_year)][tm->tm_mon - 1])
+ if (tm->tm_mon < 1 || tm->tm_mday < 1 || tm->tm_mday >
day_tab[isleap(tm->tm_year)][tm->tm_mon - 1])
return -1;
/*
Hello, I would like to clarify two points: 1. Are there any known examples of large open-source projects that actively use the ecpg? 2. Do you think it would be appropriate to assign a CVE for this bug? Best regards, Pavel Nekrasov Fobos-NT
Thank you for the clarification! Would it be possible to know which specific organizations or projects actively use ecpg? Best regards, Pavel Nekrasov Fobos-NT
El día viernes, octubre 25, 2024 a las 09:23:17 +0300, Павел Некрасов escribió:
> Thank you for the clarification!
>
> Would it be possible to know which specific organizations or projects actively use ecpg?
>
> Best regards,
> Pavel Nekrasov
> Fobos-NT
Our software, a complete Library Management System, uses ECPG from C and
C++ written servers on Linux.
matthias
--
Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
Annalena Baerbock: "We are fighting a war against Russia ..." (25.1.2023)
I, Matthias, I am not at war with Russia.
Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.
On 2024-Oct-25, Павел Некрасов wrote: > Thank you for the clarification! > > Would it be possible to know which specific organizations or projects > actively use ecpg? It doesn't seem realistic to maintain a complete list, and many organizations are just not going to tell us or anyone that they're using it. -- Álvaro Herrera PostgreSQL Developer — https://www.EnterpriseDB.com/ "This is a foot just waiting to be shot" (Andrew Dunstan)