NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit7cac191

committed

Fix corner case bug in numeric to_char() some more.

The band-aid applied in commitf0bedf3 turns out to still needsome work: it made sure we didn't set Np->last_relevant too small(to the left of the decimal point), but it didn't prevent settingit too large (off the end of the partially-converted string).This could result in fetching data beyond the end of the allocatedspace, which with very bad luck could cause a SIGSEGV, thoughI don't see any hazard of interesting memory disclosure.Per bug #17839 from Thiago Nunes. The bug's pretty ancient,so back-patch to all supported versions.Discussion:https://postgr.es/m/17839-aada50db24d7b0da@postgresql.org

1 parent7c509f7 commit7cac191Copy full SHA for 7cac191

File tree

3 files changed

+16

-2

lines changed

src
- backend/utils/adt
  - formatting.c
- test/regress
  - expected
    - numeric.out
  - sql
    - numeric.sql

3 files changed

+16

-2

lines changed

`‎src/backend/utils/adt/formatting.c‎`

Lines changed: 9 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -5684,13 +5684,20 @@ NUM_processor(FormatNode node, NUMDesc Num, char *inout,`
`5684`	`5684`
`5685`	`5685`	`/*`
`5686`	`5686`	`* If any '0' specifiers are present, make sure we don't strip`
`5687`		`- * those digits.`
	`5687`	`+ * those digits. But don't advance last_relevant beyond the last`
	`5688`	`+ * character of the Np->number string, which is a hazard if the`
	`5689`	`+ * number got shortened due to precision limitations.`
`5688`	`5690`	`*/`
`5689`	`5691`	`if (Np->last_relevant&&Np->Num->zero_end>Np->out_pre_spaces)`
`5690`	`5692`	`{`
	`5693`	`+intlast_zero_pos;`
`5691`	`5694`	`char*last_zero;`
`5692`	`5695`
`5693`		`-last_zero=Np->number+ (Np->Num->zero_end-Np->out_pre_spaces);`
	`5696`	`+/* note that Np->number cannot be zero-length here */`
	`5697`	`+last_zero_pos=strlen(Np->number)-1;`
	`5698`	`+last_zero_pos=Min(last_zero_pos,`
	`5699`	`+Np->Num->zero_end-Np->out_pre_spaces);`
	`5700`	`+last_zero=Np->number+last_zero_pos;`
`5694`	`5701`	`if (Np->last_relevant<last_zero)`
`5695`	`5702`	`Np->last_relevant=last_zero;`
`5696`	`5703`	`}`

`‎src/test/regress/expected/numeric.out‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1929,6 +1929,12 @@ SELECT to_char('100'::numeric, 'FM999');`
`1929`	`1929`	`100`
`1930`	`1930`	`(1 row)`
`1931`	`1931`
	`1932`	`+SELECT to_char('12345678901'::float8, 'FM9999999999D9999900000000000000000');`
	`1933`	`+ to_char`
	`1934`	`+-----------------`
	`1935`	`+ ##########.####`
	`1936`	`+(1 row)`
	`1937`	`+`
`1932`	`1938`	`-- Check parsing of literal text in a format string`
`1933`	`1939`	`SELECT to_char('100'::numeric, 'foo999');`
`1934`	`1940`	`to_char`

`‎src/test/regress/sql/numeric.sql‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -979,6 +979,7 @@ FROM v;`
`979`	`979`	`SELECT to_char('100'::numeric,'FM999.9');`
`980`	`980`	`SELECT to_char('100'::numeric,'FM999.');`
`981`	`981`	`SELECT to_char('100'::numeric,'FM999');`
	`982`	`+SELECT to_char('12345678901'::float8,'FM9999999999D9999900000000000000000');`
`982`	`983`
`983`	`984`	`-- Check parsing of literal text in a format string`
`984`	`985`	`SELECT to_char('100'::numeric,'foo999');`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7cac191

File tree

3 files changed

3 files changed

`‎src/backend/utils/adt/formatting.c‎`

`‎src/test/regress/expected/numeric.out‎`

`‎src/test/regress/sql/numeric.sql‎`

0 commit comments