database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-28 05:21:27 +03:00
Code

to_char(): prevent accesses beyond the allocated buffer

Browse Source 
Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.

Reported by Andres Freund and Peter Geoghegan.	Backpatch to all
supported versions.

Security: CVE-2015-0241
This commit is contained in:
Bruce Momjian 2015-02-02 10:00:44 -05:00
parent 611037d5d4
commit 5ae3bf1af3
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend/utils/adt/formatting.c
View File

@ -4409,7 +4409,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
Np->num_in = TRUE; Np->num_in = TRUE;
} }
} }
++Np->number_p; /* do no exceed string length */
if (*Np->number_p)
++Np->number_p;
} }
end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0); end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);