]> granicus.if.org Git - postgresql/commitdiff
to_char(): prevent accesses beyond the allocated buffer
authorBruce Momjian <bruce@momjian.us>
Mon, 2 Feb 2015 15:00:44 +0000 (10:00 -0500)
committerBruce Momjian <bruce@momjian.us>
Mon, 2 Feb 2015 15:00:44 +0000 (10:00 -0500)
Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.

Reported by Andres Freund and Peter Geoghegan. Backpatch to all
supported versions.

Security: CVE-2015-0241

src/backend/utils/adt/formatting.c

index f39de1f2329fd65d2c4fbb5a90ecbe391b9a89e1..4bc9e1c2815152f729c1869647d9b18eccced58f 100644 (file)
@@ -4428,7 +4428,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
                                        Np->num_in = TRUE;
                                }
                        }
-                       ++Np->number_p;
+                       /* do no exceed string length */
+                       if (*Np->number_p)
+                               ++Np->number_p;
                }
 
                end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);