to_char(): prevent accesses beyond the allocated buffer

Previously very long field masks for floats could access memory
beyond the existing buffer allocated to hold the result.

Reported by Andres Freund and Peter Geoghegan.	Backpatch to all
supported versions.

Security: CVE-2015-0241

diff --git a/src/backend/utils/adt/formatting.c b/src/backend/utils/adt/formatting.c
index 1525ad3a13e0f71a32c16258b9ffaa248a74d2c7..e381d088cfb2d3504d509a7d412b5534fed2cea9 100644 (file)
--- a/src/backend/utils/adt/formatting.c
+++ b/src/backend/utils/adt/formatting.c
@@ -4187,7 +4187,9 @@ NUM_numpart_to_char(NUMProc *Np, int id)
                    Np->num_in = TRUE;
                }
            }
-           ++Np->number_p;
+           /* do no exceed string length */
+           if (*Np->number_p)
+               ++Np->number_p;
        }
 
        end = Np->num_count + (Np->out_pre_spaces ? 1 : 0) + (IS_DECIMAL(Np->Num) ? 1 : 0);