diff options
| author | Bruce Momjian <bruce@momjian.us> | 2015-02-02 10:00:44 -0500 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2015-02-02 10:00:51 -0500 |
| commit | 037529a11c96a09c85b8bbc443f8301067c0ef22 (patch) | |
| tree | 8fb6fdf370b8fb4d621a26f767ba6b330d47d0e9 | |
| parent | 544cf245bdf1080e80cb6d462846b53b941ee316 (diff) | |
to_char(): prevent accesses beyond the allocated buffer
Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.
Reported by Andres Freund and Peter Geoghegan. Backpatch to all
supported versions.
Security: CVE-2015-0241
| -rw-r--r-- | src/backend/utils/adt/formatting.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c index dc9bf6d7e70..e3eed90f204 100644 --- a/src/backend/utils/adt/formatting.c +++ b/src/backend/utils/adt/formatting.c @@ -4390,7 +4390,9 @@ NUM_numpart_to_char(NUMProc *Np, int id) Np->num_in = TRUE; } } - ++Np->number_p; + /* do no exceed string length */ + if (*Np->number_p) + ++Np->number_p; } end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0); |