[postgresql-interfaces/psqlodbc] issue #173: Unchecked interval precision can write past the local buffer in getPrecisionPart()

postgresql-interfaces/psqlodbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: jarvis24young (@jarvis24young) <[email protected]>
To: postgresql-interfaces/psqlodbc <[email protected]>
Subject: [postgresql-interfaces/psqlodbc] issue #173: Unchecked interval precision can write past the local buffer in getPrecisionPart()
Date: Wed, 22 Apr 2026 01:56:50 +0000
Message-ID: <[email protected]> (raw)

`convert.c:getPrecisionPart()` uses a fixed local buffer for fractional seconds:

```c
char fraction[] = "000000000";
const int fracs = sizeof(fraction) - 1;
```

but later writes:

```c
fraction[precision] = '\0';
```

without clamping `precision` to `fracs` first.

Why this fails:

- `precision` is not derived from the local buffer length. It comes from the external interval precision path and can be larger than 9.
- The function already caps `cpys = strlen(precPart)` to `fracs`, so only the copied digit count is bounded.
- The terminator write still uses the original `precision` value, so `precision > 9` writes past the end of `fraction`.
- After that, `pg_atoi(fraction)` operates on a stack buffer that may already be corrupted.

So the bug is not in the `memcpy()` length. The problem is the unchecked index used for the terminating `\0`.

A minimal reproducer is:

```c
(void) getPrecisionPart(20, "123");
```

Under ASan this is reported as a stack-buffer-overflow.

A real call path also exists through interval conversion, for example when interval text with fractional seconds is converted and the descriptor precision passed down to `interval2istruct()` / `getPrecisionPart()` is larger than the 9 digits the local buffer can hold.

The minimal fix is to clamp `precision` before indexing `fraction`:

```c
if (precision > fracs)
    precision = fracs;
```

I have a minimal one-commit fix here:

- Branch: https://github.com/jarvis24young/psqlodbc/tree/issue-getprecisionpart-overflow

If useful, I can also open a PR with only this change.

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://postgresql-interfaces/psqlodbc
  Cc: [email protected], [email protected]
  Subject: Re: [postgresql-interfaces/psqlodbc] issue #173: Unchecked interval precision can write past the local buffer in getPrecisionPart()
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox