0001-Detect-buffer-underflow-in-get_th.patch
text/x-patch
Filename: 0001-Detect-buffer-underflow-in-get_th.patch
Type: text/x-patch
Part: 0
Message:
Detect buffer underflow in get_th()
Patch
Format: format-patch
Series: patch 0001
Subject: Detect buffer underflow in get_th()
| File | + | − |
|---|---|---|
| src/backend/utils/adt/formatting.c | 5 | 0 |
From de36780802b72b643b47ec129979292e9832e9e7 Mon Sep 17 00:00:00 2001
From: Alexander Kuznetsov <kuznetsovam@altlinux.org>
Date: Wed, 24 Jul 2024 12:31:45 +0300
Subject: [PATCH] Detect buffer underflow in get_th()
If get_th() can receive input that is not a number,
then it can also receive empty input.
Empty input with zero length can result in a buffer underflow
when accessing *(num + (len - 1)), as (len - 1) would produce a negative index.
Add a check for zero-length input to prevent it.
This was found by ALT Linux Team.
---
src/backend/utils/adt/formatting.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index 8736ada4be..0ab5ac5bf0 100644
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -1518,6 +1518,11 @@ get_th(char *num, int type)
int len = strlen(num),
last;
+ if (len == 0)
+ ereport(ERROR,
+ (errcode(ERRCODE_ZERO_LENGTH_CHARACTER_STRING),
+ errmsg("input cannot be empty string")));
+
last = *(num + (len - 1));
if (!isdigit((unsigned char) last))
ereport(ERROR,
--
2.42.2