Thread: A potential memory access violation in ecpg when using EXEC SQLINCLUDE

Hi, everyone.

I have found a potential memory access violation in ecpg module. And I found that this problem happens in all postgres version.

Here is:

https://github.com/postgres/postgres/blob/REL9_5_16/src/interfaces/ecpg/preproc/pgc.l

----------------------------------------------------------------------------------------------------------------------------

1385         /* If file name is enclosed in '"' remove these and look only in '.' */                                                                            

1386         /* Informix does look into all include paths though, except filename starts with '/' */

1387         if (yytext[0] == '"' && yytext[i] == '"' &&

1388                   ((compat != ECPG_COMPAT_INFORMIX && compat != ECPG_COMPAT_INFORMIX_SE) || yytext[1] == '/'))

1389         {

1390                   yytext[i] = '\0';

1391                   memmove(yytext, yytext+1, strlen(yytext));

1392

1393                   strlcpy(inc_file, yytext, sizeof(inc_file));

1394                   yyin = fopen(inc_file, "r");

1395                   if (!yyin)

1396                   {

1397                            if (strcmp(inc_file + strlen(inc_file) - 2, ".h") != 0)    ★

1398                            {

1399                                     strcat(inc_file, ".h");

1400                                     yyin = fopen(inc_file, "r");

1401                            }

1402                   }

1403

1404         }

----------------------------------------------------------------------------------------------------------------------------

When precompile ecpg program (running “ecpg xxx.pgc” is enough )which has below statement：

------------------------------------

EXEC SQL INCLUDE “a”

------------------------------------

(Here, “a” is short for “a.h” , this feature is documented at https://www.postgresql.org/docs/9.5/ecpg-preproc.html#ECPG-INCLUDE )

The ecpg command runs into above program fragment and inc_file’s value is string “a” which strlen(inc_file) is 1.

Here, ecpg first try to open head file named “a”,which does not exists. Obviously, failed.

Then,ecpg try to find out that if the given filename “a” has suffix “.h” in code line marked as ★ above.

Here, strlen(inc_file) is 1 ,so ecpg access the address inc_file �C 1 . That means access the address out of inc_file.

It obviously is a potential problem which may does not lead to error or crash in most time.But it is a hidden danger which should be fixed.

Last, it is easy to fix, here is a minimum reproduction case and a solution patch.

--

Best Regards

-----------------------------------------------------

Wu Fei

DX3

Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)

ADDR.: No.6 Wenzhu Road, Software Avenue,

       Nanjing, 210012, China

TEL  : +86+25-86630566-9356

COINS: 7998-9356

FAX: +86+25-83317685

MAIL:wufei.fnst@cn.fujitsu.com

http://www.fujitsu.com/cn/fnst/

---------------------------------------------------