[HACKERS] Minor binary-search int overflow in timezone code

[Christoph Berg]

Hi,

a fellow Debian Developer found a minor glitch in
src/timezone/localtime.c, where binary search is used. Now I don't
think there is an actual problem (unless there's > 2^30 timezones),
but it would at least make sense to mark the code as okayish so that
people running code scanners won't stumble over the issue again.

The attached patch added comments to address this.

Date: Sun, 30 Nov 2014 22:06:42 +0100
From: Niels Thykier <ni...@thykier.net>
Reply-To: Niels Thykier <ni...@thykier.net>, 771...@bugs.debian.org
To: Debian Bug Tracking System <sub...@bugs.debian.org>
Subject: [Pkg-postgresql-public] Bug#771580: postgresql-9.4: Minor binary-search
        int overflow

Source: postgresql-9.4
Version: 9.4~rc1-1
Severity: minor


Hi,

I stumbled on the folowing snippet from src/timezone/localtime.c,
function pg_interpret_timezone_abbrev:

       {
               int                     lo = 0;
               int                     hi = sp->timecnt;

               while (lo < hi)
               {
                       int                     mid = (lo + hi) >> 1;
                                                       ^^^^^^^

This looks it is subject to a known int overflow, when (original) hi
is close to INT_MAX and the item being close to then end of the array.

~Niels

[The original report had a link here to the googleresearch blog , but
the PG list servers think it is spam :(]

diff --git a/src/timezone/localtime.c b/src/timezone/localtime.c
new file mode 100644
index 19a24e1..878e471
*** a/src/timezone/localtime.c
--- b/src/timezone/localtime.c
*************** localsub(const pg_time_t *timep, long of
*** 1070,1076 ****
  
  		while (lo < hi)
  		{
! 			int			mid = (lo + hi) >> 1;
  
  			if (t < sp->ats[mid])
  				hi = mid;
--- 1070,1076 ----
  
  		while (lo < hi)
  		{
! 			int			mid = (lo + hi) >> 1; /* overflow unlikely */
  
  			if (t < sp->ats[mid])
  				hi = mid;
*************** pg_next_dst_boundary(const pg_time_t *ti
*** 1423,1429 ****
  
  		while (lo < hi)
  		{
! 			int			mid = (lo + hi) >> 1;
  
  			if (t < sp->ats[mid])
  				hi = mid;
--- 1423,1429 ----
  
  		while (lo < hi)
  		{
! 			int			mid = (lo + hi) >> 1; /* overflow unlikely */
  
  			if (t < sp->ats[mid])
  				hi = mid;
*************** pg_interpret_timezone_abbrev(const char
*** 1506,1512 ****
  
  		while (lo < hi)
  		{
! 			int			mid = (lo + hi) >> 1;
  
  			if (t < sp->ats[mid])
  				hi = mid;
--- 1506,1512 ----
  
  		while (lo < hi)
  		{
! 			int			mid = (lo + hi) >> 1; /* overflow unlikely */
  
  			if (t < sp->ats[mid])
  				hi = mid;

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers