projects
/
postgresql.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
611037d
)
to_char(): prevent accesses beyond the allocated buffer
author
Bruce Momjian
<
[email protected]
>
Mon, 2 Feb 2015 15:00:44 +0000
(10:00 -0500)
committer
Bruce Momjian
<
[email protected]
>
Mon, 2 Feb 2015 15:00:50 +0000
(10:00 -0500)
Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.
Reported by Andres Freund and Peter Geoghegan. Backpatch to all
supported versions.
Security: CVE-2015-0241
src/backend/utils/adt/formatting.c
patch
|
blob
|
blame
|
history
diff --git
a/src/backend/utils/adt/formatting.c
b/src/backend/utils/adt/formatting.c
index 8c87ff7c74546d173fa5382598ac4bfbd6704d0a..a8b538229e59755cc4841acabd298d2b4ab1afc3 100644
(file)
--- a/
src/backend/utils/adt/formatting.c
+++ b/
src/backend/utils/adt/formatting.c
@@
-4409,7
+4409,9
@@
NUM_numpart_to_char(NUMProc *Np, int id)
Np->num_in = TRUE;
}
}
- ++Np->number_p;
+ /* do no exceed string length */
+ if (*Np->number_p)
+ ++Np->number_p;
}
end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);