to_char(): prevent accesses beyond the allocated buffer

Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.

Reported by Andres Freund and Peter Geoghegan.	Backpatch to all
supported versions.

Security: CVE-2015-0241

diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index d5ff246c7bd4059ccd67656d2faa618262c7f2c1..7521348af117ed726873904ea2b34d780ffc8509 100644 (file)
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -4428,7 +4428,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
                                        Np->num_in = TRUE;
                                }
                        }
-                       ++Np->number_p;
+                       /* do no exceed string length */
+                       if (*Np->number_p)
+                               ++Np->number_p;
                }
 
                end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);