Thread: BUG #18614: [ECPG] out of bound in DecodeDateTime

The following bug has been logged on the website:

Bug reference:      18614
Logged by:          Pavel Nekrasov
Email address:      p.nekrasov@fobos-nt.ru
PostgreSQL version: 17rc1
Operating system:   Alt 10
Description:

in the line ```if (tm->tm_mday < 1 || tm->tm_mday >
day_tab[isleap(tm->tm_year)][tm->tm_mon - 1]) ``` tm->tm_mon may be equal to
0, which will result in reading by indexes -1

this is possible when calling PGTYPESdate_from_asc or
PGTYPEStimestamp_from_asc with "str" equal, for example, "AM95000062"

Patch:

--- a/src/interfaces/ecpg/pgtypeslib/dt_common.c
+++ b/src/interfaces/ecpg/pgtypeslib/dt_common.c
@@ -2327,10 +2327,9 @@ DecodeDateTime(char **field, int *ftype, int nf,
             return ((fmask & DTK_TIME_M) == DTK_TIME_M) ? 1 : -1;
 
         /*
-         * check for valid day of month, now that we know for sure the month
-         * and year...
+         * check for valid day of month and month, now that we know for sure the
year...
          */
-        if (tm->tm_mday < 1 || tm->tm_mday >
day_tab[isleap(tm->tm_year)][tm->tm_mon - 1])
+        if (tm->tm_mon < 1 || tm->tm_mday < 1 || tm->tm_mday >
day_tab[isleap(tm->tm_year)][tm->tm_mon - 1])
             return -1;
 
         /*

Hello,

I would like to clarify two points:

1. Are there any known examples of large open-source projects that actively use the ecpg?

2. Do you think it would be appropriate to assign a CVE for this bug?

Best regards,  
Pavel Nekrasov  
Fobos-NT

Thank you for the clarification!

Would it be possible to know which specific organizations or projects actively use ecpg?

Best regards,
Pavel Nekrasov
Fobos-NT

El día viernes, octubre 25, 2024 a las 09:23:17 +0300, Павел Некрасов escribió:

> Thank you for the clarification!
> 
> Would it be possible to know which specific organizations or projects actively use ecpg?
> 
> Best regards,
> Pavel Nekrasov
> Fobos-NT

Our software, a complete Library Management System, uses ECPG from C and
C++ written servers on Linux.

    matthias

-- 
Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

Annalena Baerbock: "We are fighting a war against Russia ..." (25.1.2023)

I, Matthias, I am not at war with Russia.
Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.

On 2024-Oct-25, Павел Некрасов wrote:

> Thank you for the clarification!
> 
> Would it be possible to know which specific organizations or projects
> actively use ecpg?

It doesn't seem realistic to maintain a complete list, and many
organizations are just not going to tell us or anyone that they're using
it.

-- 
Álvaro Herrera         PostgreSQL Developer  —  https://www.EnterpriseDB.com/
"This is a foot just waiting to be shot"                (Andrew Dunstan)