Re: [COMMITTERS] pgsql-server/src include/utils/timestamp.h bac ...
Neil Conway <nconway@klamath.dyndns.org>
From: Neil Conway <nconway@klamath.dyndns.org>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Cc: thomas@postgresql.org (Thomas Lockhart), pgsql-hackers@postgresql.org
Date: 2002-08-04T22:45:46Z
Lists: pgsql-hackers
Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> writes: > thomas@postgresql.org (Thomas Lockhart) writes: > > Log message: > > Add guard code to protect from buffer overruns on long date/time input > > strings. Should go back in and look at doing this a bit more elegantly > > and (hopefully) cheaper. Probably not too bad anyway, but it seems a > > shame to scan the strings twice: once for length for this buffer overrun > > protection, and once to parse the line. > > Are these changes available for 7.2, too? There is at least a DoS > potential lurking here. :-( Thomas can correct me if I'm mistaken, but I believe these changes apply to the new integer datetime code Thomas wrote earlier in the 7.3 development cycle -- i.e. there's no bug present in 7.2, or earlier CVS code when compiled without --enable-integer-datetimes. Cheers, Neil -- Neil Conway <neilconway@rogers.com> PGP Key ID: DB3C29FC