Re: [COMMITTERS] pgsql-server/src include/utils/timestamp.h bac ...

Neil Conway <nconway@klamath.dyndns.org>

From: Neil Conway <nconway@klamath.dyndns.org>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Cc: thomas@postgresql.org (Thomas Lockhart), pgsql-hackers@postgresql.org
Date: 2002-08-04T22:45:46Z
Lists: pgsql-hackers
Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> writes:
> thomas@postgresql.org (Thomas Lockhart) writes:
> > Log message:
> > 	Add guard code to protect from buffer overruns on long date/time input
> > 	strings. Should go back in and look at doing this a bit more elegantly
> > 	and (hopefully) cheaper. Probably not too bad anyway, but it seems a
> > 	shame to scan the strings twice: once for length for this buffer overrun
> > 	protection, and once to parse the line.
> 
> Are these changes available for 7.2, too?  There is at least a DoS
> potential lurking here. :-(

Thomas can correct me if I'm mistaken, but I believe these changes apply
to the new integer datetime code Thomas wrote earlier in the 7.3
development cycle -- i.e. there's no bug present in 7.2, or earlier CVS
code when compiled without --enable-integer-datetimes.

Cheers,

Neil

-- 
Neil Conway <neilconway@rogers.com>
PGP Key ID: DB3C29FC