From: Bruce Momjian Date: Mon, 2 Feb 2015 15:00:44 +0000 (-0500) Subject: to_char(): prevent accesses beyond the allocated buffer X-Git-Tag: REL9_2_10~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ae3bf1af34082f3b53955053ce11a6f20b1b751;p=thirdparty%2Fpostgresql.git to_char(): prevent accesses beyond the allocated buffer Previously very long field masks for floats could access memory beyond the existing buffer allocated to hold the result. Reported by Andres Freund and Peter Geoghegan. Backpatch to all supported versions. Security: CVE-2015-0241 --- diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c index 8c87ff7c745..a8b538229e5 100644 --- a/src/backend/utils/adt/formatting.c +++ b/src/backend/utils/adt/formatting.c @@ -4409,7 +4409,9 @@ NUM_numpart_to_char(NUMProc *Np, int id) Np->num_in = TRUE; } } - ++Np->number_p; + /* do no exceed string length */ + if (*Np->number_p) + ++Np->number_p; } end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);