to_char(): prevent accesses beyond the allocated buffer

Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.

Reported by Andres Freund and Peter Geoghegan.	Backpatch to all
supported versions.

Security: CVE-2015-0241

diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index 8c87ff7c74546d173fa5382598ac4bfbd6704d0a..a8b538229e59755cc4841acabd298d2b4ab1afc3 100644 (file)
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -4409,7 +4409,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
                    Np->num_in = TRUE;
                }
            }
-           ++Np->number_p;
+           /* do no exceed string length */
+           if (*Np->number_p)
+               ++Np->number_p;
        }
 
        end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);