to_char(): prevent accesses beyond the allocated buffer

Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.

Reported by Andres Freund and Peter Geoghegan.	Backpatch to all
supported versions.

Security: CVE-2015-0241

diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index f39de1f2329fd65d2c4fbb5a90ecbe391b9a89e1..4bc9e1c2815152f729c1869647d9b18eccced58f 100644 (file)
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -4428,7 +4428,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
                                        Np->num_in = TRUE;
                                }
                        }
-                       ++Np->number_p;
+                       /* do no exceed string length */
+                       if (*Np->number_p)
+                               ++Np->number_p;
                }
 
                end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);