From 5ae3bf1af34082f3b53955053ce11a6f20b1b751 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Mon, 2 Feb 2015 10:00:44 -0500 Subject: [PATCH] to_char(): prevent accesses beyond the allocated buffer Previously very long field masks for floats could access memory beyond the existing buffer allocated to hold the result. Reported by Andres Freund and Peter Geoghegan. Backpatch to all supported versions. Security: CVE-2015-0241 --- src/backend/utils/adt/formatting.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c index 8c87ff7c74..a8b538229e 100644 --- a/src/backend/utils/adt/formatting.c +++ b/src/backend/utils/adt/formatting.c @@ -4409,7 +4409,9 @@ NUM_numpart_to_char(NUMProc *Np, int id) Np->num_in = TRUE; } } - ++Np->number_p; + /* do no exceed string length */ + if (*Np->number_p) + ++Np->number_p; } end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0); -- 2.40.0