summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorBruce Momjian2015-02-02 15:00:44 +0000
committerBruce Momjian2015-02-02 15:00:50 +0000
commit5ae3bf1af34082f3b53955053ce11a6f20b1b751 (patch)
treefb00c8f1c5deb93405eb76cad1e9397bc96f9297 /src
parent611037d5d46c10e1db5313acce74af328f105445 (diff)
to_char(): prevent accesses beyond the allocated buffer
Previously very long field masks for floats could access memory beyond the existing buffer allocated to hold the result. Reported by Andres Freund and Peter Geoghegan. Backpatch to all supported versions. Security: CVE-2015-0241
Diffstat (limited to 'src')
-rw-r--r--src/backend/utils/adt/formatting.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index 8c87ff7c745..a8b538229e5 100644
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -4409,7 +4409,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
Np->num_in = TRUE;
}
}
- ++Np->number_p;
+ /* do no exceed string length */
+ if (*Np->number_p)
+ ++Np->number_p;
}
end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);