fix memory overflow in ecpg preproc module

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

fix memory overflow in ecpg preproc module

Liu, Huailing

Hi, everyone

 

I have found a potential memory overflow in ecpg preproc module.

 

Here is:

 

https://github.com/postgres/postgres/blob/REL9_5_16/src/interfaces/ecpg/preproc/pgc.l

 

In parse_include() function

-------------------------------------------------------------------

for (ip = include_paths; yyin == NULL && ip != NULL; ip = ip->next)

                            {

                                          if (strlen(ip->path) + strlen(yytext) + 3 > MAXPGPATH) 1   forget to count the length of char '\0'.

                                          {

                                                       fprintf(stderr, _("Error: include path \"%s/%s\" is too long on line %d, skipping\n"), ip->path, yytext, yylineno);

                                                        continue;

                                          }

                                          snprintf (inc_file, sizeof(inc_file), "%s/%s", ip->path, yytext);

                                          yyin = fopen(inc_file, "r");

                                          if (!yyin)

                                          {

                                                        if (strcmp(inc_file + strlen(inc_file) - 2, ".h") != 0)

                                                        {

                                                                      strcat(inc_file, ".h"); 2

                                                                      yyin = fopen( inc_file, "r" );

                                                        }

                                          }

-----------------------------------------------------------------------

For example

  (1)ecpg program has below statement

       EXEC SQL INCLUDE “abbbbbbbbcd”

filename's length is  11.

  (2)using ecpg -I command to Specify an additional include path

       an additional include path's length is 1010

              ex:/file1/ssssssss/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

              /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

              /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

              /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

              /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

              /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

              /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

              /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

              /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

              /a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a

      

After entering the parse_include(), the roadmap of excuting is as follows.

1. When excuting the marked1 code, strlen(ip->path) is 1010, and  strlen(yytext) is 11.

    So the total length (strlen(ip->path) + strlen(yytext) + 3 ) is 1024.

    As MAXPGPATH is 1024, the error is not be throwed.

 2. When  excuting the marked2 code, the string stored in the variable inc_file is as follows.

             

    inc_file[0]:'f'

    inc_file[1]:'i'               

    ....

    inc_file[1022]:'.'

    inc_file[1023]:'h'  ====>there is no space for the char '\0'.

             

Last, it is easy to fix, here is a solution patch. 

 

--

以上

Liu Huailing

--------------------------------------------------

Liu Huailing

Development Department III

Software Division II

Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)

ADDR.: No.6 Wenzhu Road, Software Avenue,

       Nanjing, 210012, China

TEL  : +86+25-86630566-8439

COINS: 7998-8439

FAX  : +86+25-83317685

MAIL : [hidden email]

--------------------------------------------------

 


pgl.pl.patch (790 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fix memory overflow in ecpg preproc module

Michael Meskes-3
Hi,

> I have found a potential memory overflow in ecpg preproc module.
> ...

Thanks for finding and fixing, committed.

Michael
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org
Jabber: michael at xmpp dot meskes dot org
VfL Borussia! Força Barça! SF 49ers! Use Debian GNU/Linux, PostgreSQL