Fix contrib/seg to be more wary of long input numbers.

seg stores the number of significant digits in an input number
in a "char" field.  If char is signed, and the input is more than
127 digits long, the count can read out as negative causing
seg_out() to print garbage (or, if you're really unlucky,
even crash).

To fix, clamp the digit count to be not more than FLT_DIG.
(In theory this loses some information about what the original
input was, but it doesn't seem like useful information; it would
not survive dump/restore in any case.)

Also, in case there are stored values of the seg type containing
bad data, add a clamp in seg_out's restore() subroutine.

Per bug #17725 from Robins Tharakan.  It's been like this
forever, so back-patch to all supported branches.

Discussion: https://postgr.es/m/17725-0a09313b67fbe86e@postgresql.org

1 files changed, 6 insertions, 2 deletions

diff --git a/contrib/seg/seg.c b/contrib/seg/seg.c
index e964560053d..a7effc1b190 100644
--- a/contrib/seg/seg.c
+++ b/contrib/seg/seg.c
@@ -928,9 +928,13 @@ restore(char *result, float val, int n)
 
 	/*
 	 * Put a cap on the number of significant digits to avoid garbage in the
-	 * output and ensure we don't overrun the result buffer.
+	 * output and ensure we don't overrun the result buffer.  (n should not be
+	 * negative, but check to protect ourselves against corrupted data.)
 	 */
-	n = Min(n, FLT_DIG);
+	if (n <= 0)
+		n = FLT_DIG;
+	else
+		n = Min(n, FLT_DIG);
 
 	/* remember the sign */
 	sign = (val < 0 ? 1 : 0);