Fix off-by-one in memory allocation for quote_literal_cstr().

The calculation didn't take into account the NULL terminator. That lead
to overwriting the palloc'd buffer by one byte, if the input consists
entirely of backslashes. For example "format('%L', E'\\')".

Fixes bug #14468. Backpatch to all supported versions.

Report: https://www.postgresql.org/message-id/20161216105001.13334.42819%40wrigleys.postgresql.org

diff --git a/src/backend/utils/adt/quote.c b/src/backend/utils/adt/quote.c
index 761633bd459f96f2bbbd120302f52bde47b1a65a..7e502aed1e3fa30bfe0a29a51b3fc78b144d9182 100644 (file)
--- a/src/backend/utils/adt/quote.c
+++ b/src/backend/utils/adt/quote.c
@@ -107,7 +107,7 @@ quote_literal_cstr(const char *rawstr)
 
    len = strlen(rawstr);
    /* We make a worst-case result area; wasting a little space is OK */
-   result = palloc(len * 2 + 3);
+   result = palloc(len * 2 + 3 + 1);
 
    newlen = quote_literal_internal(result, rawstr, len);
    result[newlen] = '\0';