to_char(): prevent accesses beyond the allocated buffer

Previously very long field masks for floats could access memory beyond the existing buffer allocated to hold the result. Reported by Andres Freund and Peter Geoghegan. Backpatch to all supported versions. Security: CVE-2015-0241
2025-05-29 16:21:20 +03:00 · 2015-02-02 10:00:44 -05:00 · 2015-02-02 10:00:44 -05:00 · 5ae3bf1af3
commit 5ae3bf1af3
parent 611037d5d4
1 changed files with 3 additions and 1 deletions
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@ -4409,7 +4409,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
 					Np->num_in = TRUE;
 				}
 			}
-			++Np->number_p;
+			/* do no exceed string length */
+			if (*Np->number_p)
+				++Np->number_p;
 		}

 		end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);