| From: | Julien Rouhaud <rjuju123(at)gmail(dot)com> |
|---|---|
| To: | t(dot)larionov(at)postgrespro(dot)ru, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #16953: OOB access while converting "interval" to char |
| Date: | 2021-04-07 12:08:56 |
| Message-ID: | 20210407120856.3rjxxnnzzxn74vyv@nol |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hi,
On Wed, Apr 07, 2021 at 09:09:25AM +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 16953
> Logged by: Theodor Arsenij Larionov-Trichkin
> Email address: t(dot)larionov(at)postgrespro(dot)ru
> PostgreSQL version: 13.2
> Operating system: Ubuntu 20.04.2 LTS
> Description:
>
> 9. Performing this query will result in OOB access of rm_months_lower array
> and as a result crash: SELECT * from TO_CHAR(interval '-1Mon', 'rm');
>
> Output:
> [...]
> terminated by signal 11: Segmentation fault
> 2021-04-07 12:08:01.013 MSK [33887] DETAIL: Failed process was running:
> SELECT * from TO_CHAR(interval '-1Mon', 'rm');
Indeed, thanks a lot for the report!
It's because rm/RM are computed in a way that doesn't play nice with negative
values:
sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -4,
rm_months_lower[MONTHS_PER_YEAR - tm->tm_mon]);
PFA a naive patch to fix this problem with some regression tests. I'm assuming
that -1 month should be january and not december. I had a quick look at the
rest of formatting.c and didn't spot any similar problem, but another pair of
eyes wouldn't hurt.
| Attachment | Content-Type | Size |
|---|---|---|
| v1-fix_rm.diff | text/plain | 2.0 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jaime Casanova | 2021-04-07 16:28:35 | Re: BUG #16707: Memory leak |
| Previous Message | Poot, Bas (B.J.) | 2021-04-07 10:59:31 | XX000: unknown type of jsonb container. |