- Notifications
You must be signed in to change notification settings - Fork4.9k
Commitd555d26
committed
Fix several one-byte buffer over-reads in to_number
Several places in NUM_numpart_from_char(), which is called from the SQLfunction to_number(text, text), could accidentally read one byte pastthe end of the input buffer (which comes from the input text datum andis not null-terminated).1. One leading space character would be skipped, but there was no check that the input was at least one byte long. This does not happen in practice, but for defensiveness, add a check anyway.2. Commit4a3a1e2 apparently accidentally doubled that code that skips one space character (so that two spaces might be skipped), but there was no overflow check before skipping the second byte. Fix by removing that duplicate code.3. A logic error would allow a one-byte over-read when looking for a trailing sign (S) placeholder.In each case, the extra byte cannot be read out directly, but looking atit might cause a crash.The third item was discovered by Piotr Stefaniak, the first two werefound and analyzed by Tom Lane and Peter Eisentraut.1 parent5b1da94 commitd555d26
1 file changed
+4
-4
lines changedLines changed: 4 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4119 | 4119 | | |
4120 | 4120 | | |
4121 | 4121 | | |
4122 | | - | |
4123 | | - | |
4124 | | - | |
4125 | 4122 | | |
4126 | 4123 | | |
4127 | 4124 | | |
| 4125 | + | |
| 4126 | + | |
| 4127 | + | |
4128 | 4128 | | |
4129 | 4129 | | |
4130 | 4130 | | |
| |||
4274 | 4274 | | |
4275 | 4275 | | |
4276 | 4276 | | |
4277 | | - | |
| 4277 | + | |
4278 | 4278 | | |
4279 | 4279 | | |
4280 | 4280 | | |
| |||
0 commit comments
Comments
(0)