Message-ID: From: "jarvis24young (@jarvis24young)" To: "postgresql-interfaces/psqlodbc" Date: Wed, 22 Apr 2026 01:56:50 +0000 Subject: [postgresql-interfaces/psqlodbc] issue #173: Unchecked interval precision can write past the local buffer in getPrecisionPart() List-Id: X-GitHub-Author-Id: 48787405 X-GitHub-Author-Login: jarvis24young X-GitHub-Issue: 173 X-GitHub-Repo: postgresql-interfaces/psqlodbc X-GitHub-State: closed X-GitHub-Type: issue X-GitHub-Url: https://github.com/postgresql-interfaces/psqlodbc/issues/173 Content-Type: text/plain; charset=utf-8 `convert.c:getPrecisionPart()` uses a fixed local buffer for fractional seconds: ```c char fraction[] = "000000000"; const int fracs = sizeof(fraction) - 1; ``` but later writes: ```c fraction[precision] = '\0'; ``` without clamping `precision` to `fracs` first. Why this fails: - `precision` is not derived from the local buffer length. It comes from the external interval precision path and can be larger than 9. - The function already caps `cpys = strlen(precPart)` to `fracs`, so only the copied digit count is bounded. - The terminator write still uses the original `precision` value, so `precision > 9` writes past the end of `fraction`. - After that, `pg_atoi(fraction)` operates on a stack buffer that may already be corrupted. So the bug is not in the `memcpy()` length. The problem is the unchecked index used for the terminating `\0`. A minimal reproducer is: ```c (void) getPrecisionPart(20, "123"); ``` Under ASan this is reported as a stack-buffer-overflow. A real call path also exists through interval conversion, for example when interval text with fractional seconds is converted and the descriptor precision passed down to `interval2istruct()` / `getPrecisionPart()` is larger than the 9 digits the local buffer can hold. The minimal fix is to clamp `precision` before indexing `fraction`: ```c if (precision > fracs) precision = fracs; ``` I have a minimal one-commit fix here: - Branch: https://github.com/jarvis24young/psqlodbc/tree/issue-getprecisionpart-overflow If useful, I can also open a PR with only this change.