The following bug has been logged on the website: Bug reference: 17839 Logged by: Thiago Nunes Email address: thiagotnunes@gmail.com PostgreSQL version: 15.2 Operating system: Linux Description: Heap-buffer overflow on float8_to_char when format exceeds max double digits. I noticed this when running tests with memory sanitiser (msan). The following example triggers the failure (considering max double digits `DBL_DIG` is 15): ``` float8_to_char(12345678901, "FM9999999999D999990") ``` Explanation below: 1. After parsing the format, `Num.pre` will be 10, `Num.post` will be 6 `Num.zero_end` will be 16 (https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L1196-L1228) 2. The template size is greater than the `DBL_DIG`, `Num.post` will be moved back here (https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L6688-L6689). 3. The shortened template with the max `DBL_DIG` will be "stringfied" out here (https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L6712-L6717). The result will be "##########.####" (10 significant digits + '.' + 4 decimal digits). 4. `Np->last_relevant` will be lesser than `Num->zero_end`, so it is updated to an invalid position in the result above (pointer + 16) here (https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L5740-L5743). 5. When applying FILLMODE here (https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L5563), it will try to get the character at Np->last_relevant, which is out of bounds.
pgsql-bugs by date:
Соглашаюсь с условиями обработки персональных данных
