to_char(): prevent accesses beyond the allocated buffer

bmomjian · bmomjian · commit 5ae3bf1af340 · 2015-02-02T10:00:50.000-05:00
Previously very long field masks for floats could access memory beyond the existing buffer allocated to hold the result. Reported by Andres Freund and Peter Geoghegan. Backpatch to all supported versions. Security: CVE-2015-0241
diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
@@ -4409,7 +4409,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
 					Np->num_in = TRUE;
 				}
 			}
-			++Np->number_p;
+			/* do no exceed string length */
+			if (*Np->number_p)
+				++Np->number_p;
 		}
 
 		end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);

Original file line number	Diff line number	Diff line change
`@@ -4409,7 +4409,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)`
`4409`	`4409`	`Np->num_in = TRUE;`
`4410`	`4410`	`}`
`4411`	`4411`	`}`
`4412`		`- ++Np->number_p;`
	`4412`	`+ /* do no exceed string length */`
	`4413`	`+ if (*Np->number_p)`
	`4414`	`+ ++Np->number_p;`
`4413`	`4415`	`}`
`4414`	`4416`
`4415`	`4417`	`end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);`