Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #17839: Heap-buffer overflow on float8_to_char with invalid template - Mailing list pgsql-bugs

From Thiago Nunes
Subject Re: BUG #17839: Heap-buffer overflow on float8_to_char with invalid template
Date
Msg-id CANf6e1JxUFXpkH-ZV1u=bDL4vekZsqxeTcRtHVM-A8DZNxgqkw@mail.gmail.com
Whole thread Raw
In response to Re: BUG #17839: Heap-buffer overflow on float8_to_char with invalid template  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-bugs
Tree view
Thanks Tom,

I think your solution deals with all the cases, but I would like to point out how I fixed it locally. I recalculated Num.zero_end after this line (https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L6716):

```
Num.zero_end = Num.pre + Num.post;
```

Cheers,

On Wed, Mar 15, 2023 at 9:49 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
PG Bug reporting form <noreply@postgresql.org> writes:
> Heap-buffer overflow on float8_to_char when format exceeds max double
> digits. I noticed this when running tests with memory sanitiser (msan).
> The following example triggers the failure (considering max double digits
> `DBL_DIG` is 15):
> float8_to_char(12345678901, "FM9999999999D999990")

Thanks for the report!  For reasons that aren't entirely clear to me,
valgrind didn't whine about this until I added a few more zeroes to the
format string, like

SELECT to_char('12345678901'::float8, 'FM9999999999D9999900000000000000000');

Nonetheless, it did see the issue at that point.  I'm inclined to fix
it by making the code that adjusts Np->last_relevant more paranoid,
as attached.

                        regards, tom lane

pgsql-bugs by date:

Previous
From: Tom Lane
Date:
Subject: Re: BUG #17839: Heap-buffer overflow on float8_to_char with invalid template
Next
From: Tom Lane
Date:
Subject: Re: BUG #17839: Heap-buffer overflow on float8_to_char with invalid template