Thread: BUG #17788: Incorrect memory access when parsing empty string as sql_standard interval

BUG #17788: Incorrect memory access when parsing empty string as sql_standard interval

From
PG Bug reporting form
Date:
The following bug has been logged on the website:

Bug reference:      17788
Logged by:          Alexander Lakhin
Email address:      exclusion@gmail.com
PostgreSQL version: 15.2
Operating system:   Ubuntu 22.04
Description:

When executing under valgrind:
SET IntervalStyle TO sql_standard;
SELECT ''::interval;

The following error is detected:
==00:00:00:03.574 1155861== Use of uninitialised value of size 8
==00:00:00:03.574 1155861==    at 0x606ADE: DecodeInterval
(datetime.c:3368)
==00:00:00:03.574 1155861==    by 0x6C4B79: interval_in (timestamp.c:915)
==00:00:00:03.574 1155861==    by 0x718ED0: InputFunctionCall
(fmgr.c:1532)
==00:00:00:03.574 1155861==    by 0x719133: OidInputFunctionCall
(fmgr.c:1635)
==00:00:00:03.574 1155861==    by 0x34F0CD: stringTypeDatum
(parse_type.c:662)
==00:00:00:03.574 1155861==    by 0x333F66: coerce_type
(parse_coerce.c:311)
==00:00:00:03.574 1155861==    by 0x33322B: coerce_to_target_type
(parse_coerce.c:104)
==00:00:00:03.574 1155861==    by 0x33A8B8: transformTypeCast
(parse_expr.c:2651)
==00:00:00:03.574 1155861==    by 0x339E72: transformExprRecurse
(parse_expr.c:146)
==00:00:00:03.574 1155861==    by 0x339C32: transformExpr
(parse_expr.c:104)
==00:00:00:03.574 1155861==    by 0x34DAB0: transformTargetEntry
(parse_target.c:95)
==00:00:00:03.574 1155861==    by 0x34DB5F: transformTargetList
(parse_target.c:183)
==00:00:00:03.574 1155861==
...
==00:00:00:03.574 1155861==
==00:00:00:03.574 1155861== Exit program on first error
(--exit-on-first-error=yes)
2023-02-12 10:32:40.739 MSK|||63e89615.11a2c9|LOG:  server process (PID
1155861) exited with exit code 1
2023-02-12 10:32:40.739 MSK|||63e89615.11a2c9|DETAIL:  Failed process was
running: SELECT ''::interval;

This defect was introduced by the commit e39f9904.
Before that commit the check
    if (IntervalStyle == INTSTYLE_SQL_STANDARD && *field[0] == '-')
was guarded by
    if (fmask == 0)
        return DTERR_BAD_FORMAT;
but now field[0] is accessed unconditionally (even when nf == 0) for the
SQL_STANDARD style.


PG Bug reporting form <noreply@postgresql.org> writes:
> When executing under valgrind:
> SET IntervalStyle TO sql_standard;
> SELECT ''::interval;

> The following error is detected:
> ==00:00:00:03.574 1155861== Use of uninitialised value of size 8
> ==00:00:00:03.574 1155861==    at 0x606ADE: DecodeInterval
> (datetime.c:3368)

Good catch!  For me, it dumps core about half the time even without
using valgrind.

> This defect was introduced by the commit e39f9904.
> Before that commit the check
>     if (IntervalStyle == INTSTYLE_SQL_STANDARD && *field[0] == '-')
> was guarded by
>     if (fmask == 0)
>         return DTERR_BAD_FORMAT;
> but now field[0] is accessed unconditionally (even when nf == 0) for the
> SQL_STANDARD style.

Right.  Not checking nf > 0 wasn't great style there in any case,
but it accidentally failed to fail before.

Fix pushed --- thanks for the report!

            regards, tom lane