to_char(): prevent accesses beyond the allocated buffer

Previously very long field masks for floats could access memory beyond the existing buffer allocated to hold the result. Reported by Andres Freund and Peter Geoghegan. Backpatch to all supported versions. Security: CVE-2015-0241

to_char(): prevent accesses beyond the allocated buffer
Previously very long field masks for floats could access memory beyond the existing buffer allocated to hold the result. Reported by Andres Freund and Peter Geoghegan. Backpatch to all supported versions. Security: CVE-2015-0241
0150ab56 · Bruce Momjian · f9ee8ea1 · 0150ab56
Commit 0150ab56 authored Feb 02, 2015 by Bruce Momjian
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

src/backend/utils/adt/formatting.c src/backend/utils/adt/formatting.c +3 -1

No files found.
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -4428,7 +4428,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
 					Np->num_in = TRUE;
 				}
 			}
-			++Np->number_p;
+			/* do no exceed string length */
+			if (*Np->number_p)
+				++Np->number_p;
 		}
 		end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);