projects
/
postgresql.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
fa06ce5
)
to_char(): prevent accesses beyond the allocated buffer
author
Bruce Momjian
Mon, 2 Feb 2015 15:00:44 +0000
(10:00 -0500)
committer
Bruce Momjian
Mon, 2 Feb 2015 15:00:50 +0000
(10:00 -0500)
Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.
Reported by Andres Freund and Peter Geoghegan. Backpatch to all
supported versions.
Security: CVE-2015-0241
src/backend/utils/adt/formatting.c
patch
|
blob
|
blame
|
history
diff --git
a/src/backend/utils/adt/formatting.c
b/src/backend/utils/adt/formatting.c
index e17bea266151fdb64dc9331d7a2126d7527ee5de..6d4cd1feade2e7813871bf1a8c6c6c6d32747fee 100644
(file)
--- a/
src/backend/utils/adt/formatting.c
+++ b/
src/backend/utils/adt/formatting.c
@@
-4416,7
+4416,9
@@
NUM_numpart_to_char(NUMProc *Np, int id)
Np->num_in = TRUE;
}
}
- ++Np->number_p;
+ /* do no exceed string length */
+ if (*Np->number_p)
+ ++Np->number_p;
}
end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);
projects / postgresql.git / commitdiff