to_char(): prevent accesses beyond the allocated buffer

Previously very long field masks for floats could access memory beyond the existing buffer allocated to hold the result. Reported by Andres Freund and Peter Geoghegan. Backpatch to all supported versions. Security: CVE-2015-0241
author: Bruce Momjian 2015-02-02 15:00:44 +0000
committer: Bruce Momjian 2015-02-02 15:00:50 +0000
commit: b8b5801478e9cdd1c74bd392017b944dcc0891dc (patch)
tree: e2b16d3568c85c4e5e224c05e5bff71d68f14e8a /src
parent: fa06ce595a7a955c3f1f6dbaada71a204f6c7724 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index e17bea26615..6d4cd1feade 100644
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -4416,7 +4416,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
 					Np->num_in = TRUE;
 				}
 			}
-			++Np->number_p;
+			/* do no exceed string length */
+			if (*Np->number_p)
+				++Np->number_p;
 		}
 
 		end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);
author	Bruce Momjian	2015-02-02 15:00:44 +0000
committer	Bruce Momjian	2015-02-02 15:00:50 +0000
commit	b8b5801478e9cdd1c74bd392017b944dcc0891dc (patch)
tree	e2b16d3568c85c4e5e224c05e5bff71d68f14e8a /src
parent	fa06ce595a7a955c3f1f6dbaada71a204f6c7724 (diff)