to_char(): prevent accesses beyond the allocated buffer

Previously very long field masks for floats could access memory beyond the existing buffer allocated to hold the result. Reported by Andres Freund and Peter Geoghegan. Backpatch to all supported versions. Security: CVE-2015-0241
author: Bruce Momjian <bruce@momjian.us> 2015-02-02 10:00:44 -0500
committer: Bruce Momjian <bruce@momjian.us> 2015-02-02 10:00:44 -0500
commit: 0150ab567bcf5e5913e2b62a1678f84cc272441f (patch)
tree: bdd4ee0ee72e00a46ad571cec52f63ccf00a3f32 /src/backend/utils/adt/formatting.c
parent: f9ee8ea10a432bd5692ef9ff25055717fbf290ce (diff)
download: postgresql-0150ab567bcf5e5913e2b62a1678f84cc272441f.tar.gz
postgresql-0150ab567bcf5e5913e2b62a1678f84cc272441f.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index f39de1f2329..4bc9e1c2815 100644
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -4428,7 +4428,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
 					Np->num_in = TRUE;
 				}
 			}
-			++Np->number_p;
+			/* do no exceed string length */
+			if (*Np->number_p)
+				++Np->number_p;
 		}
 
 		end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);
author	Bruce Momjian <bruce@momjian.us>	2015-02-02 10:00:44 -0500
committer	Bruce Momjian <bruce@momjian.us>	2015-02-02 10:00:44 -0500
commit	0150ab567bcf5e5913e2b62a1678f84cc272441f (patch)
tree	bdd4ee0ee72e00a46ad571cec52f63ccf00a3f32 /src/backend/utils/adt/formatting.c
parent	f9ee8ea10a432bd5692ef9ff25055717fbf290ce (diff)
download	postgresql-0150ab567bcf5e5913e2b62a1678f84cc272441f.tar.gz postgresql-0150ab567bcf5e5913e2b62a1678f84cc272441f.zip