BUG #4015: uninitialized value passed as an argument to tm2timetz - Mailing list pgsql-bugs

From Ted Kremenek
Subject BUG #4015: uninitialized value passed as an argument to tm2timetz
Date
Msg-id 200803052212.m25MClMt014585@wwwmaster.postgresql.org
Whole thread Raw
Responses Re: BUG #4015: uninitialized value passed as an argument to tm2timetz
List pgsql-bugs
The following bug has been logged online:

Bug reference:      4015
Logged by:          Ted Kremenek
Email address:      kremenek@apple.com
PostgreSQL version: 8.3.0
Operating system:   Mac OS X 10.5.2
Description:        uninitialized value passed as an argument to tm2timetz
Details:

It appears that there may be a case where the function tm2timetz is called
with an uninitialized (i.e., undefined) value passed as one of its arguments
(actually multiple arguments are undefined).  This appears to occur along an
error path when the  date string is not properly formatted.  I'm not certain
if this would be a real bug in practice, but it looks like a classic case
where an input processing function fails to properly recover from malformed
input.

Here is the code and diagnosis.

In postgresql-8.3.0/src/backend/utils/adt/date.c:


Datum
timetz_in(PG_FUNCTION_ARGS)
{
... <SNIP>
    int            tz;
... <SNIP>

    dterr = ParseDateTime(str, workbuf, sizeof(workbuf),
                          field, ftype, MAXDATEFIELDS, &nf);

==> In the case ParseDateTime fails, dterr has a non-zero value.

    if (dterr == 0) {
         ==> This branch is NOT taken.
         ==> This is the only branch that initializes "tz" by passing it
         ==> by reference to DecodeTimeOnly.  Note that the struct
         ==> referred to by tm is also not initialized.

       dterr = DecodeTimeOnly(field, ftype, nf, &dtype, tm, &fsec, &tz);
       }

    if (dterr != 0) {

            ==> This branch is TAKEN.
            ==> Note that "tz" is not initialized, nor does
            ==> DateTimeParseError cause execution to abort.

            DateTimeParseError(dterr, str, "time with time zone");
         }

    result = (TimeTzADT *) palloc(sizeof(TimeTzADT));

==> ERROR:
==> At this point "tz" is passed to tm2timetz, which is uninitialized.
==> Note that the value pointed to be "tm" is also uninitialized,
==> meaning that tm2timetz is passed garbage that sometimes
==> may be valid (due to remnants of data still on the stack).

    tm2timetz(tm, fsec, tz, result);
    AdjustTimeForTypmod(&(result->time), typmod);

    PG_RETURN_TIMETZADT_P(result);
}

pgsql-bugs by date:

Previous
From: Bill Moran
Date:
Subject: Re: BUG #4012: bug in pg_query
Next
From: Tom Lane
Date:
Subject: Re: BUG #4015: uninitialized value passed as an argument to tm2timetz