to_char(): prevent accesses beyond the allocated buffer

Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.

Reported by Andres Freund and Peter Geoghegan.	Backpatch to all
supported versions.

Security: CVE-2015-0241

diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index dc9bf6d7e709ec8ac4e8252f57598f57650becb4..e3eed90f20438e1872007fc398b48d43f3dfcdc0 100644 (file)
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -4390,7 +4390,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
                    Np->num_in = TRUE;
                }
            }
-           ++Np->number_p;
+           /* do no exceed string length */
+           if (*Np->number_p)
+               ++Np->number_p;
        }
 
        end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);