From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
---|---|
To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
Cc: | thiagotnunes(at)gmail(dot)com |
Subject: | BUG #17839: Heap-buffer overflow on float8_to_char with invalid template |
Date: | 2023-03-14 01:51:09 |
Message-ID: | 17839-aada50db24d7b0da@postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 17839
Logged by: Thiago Nunes
Email address: thiagotnunes(at)gmail(dot)com
PostgreSQL version: 15.2
Operating system: Linux
Description:
Heap-buffer overflow on float8_to_char when format exceeds max double
digits. I noticed this when running tests with memory sanitiser (msan).
The following example triggers the failure (considering max double digits
`DBL_DIG` is 15):
```
float8_to_char(12345678901, "FM9999999999D999990")
```
Explanation below:
1. After parsing the format, `Num.pre` will be 10, `Num.post` will be 6
`Num.zero_end` will be 16
(https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L1196-L1228)
2. The template size is greater than the `DBL_DIG`, `Num.post` will be moved
back here
(https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L6688-L6689)
3. The shortened template with the max `DBL_DIG` will be "stringfied" out
here
(https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L6712-L6717)
The result will be "##########.####" (10 significant digits + '.' + 4
decimal digits).
4. `Np->last_relevant` will be lesser than `Num->zero_end`, so it is updated
to an invalid position in the result above (pointer + 16) here
(https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L5740-L5743)
5. When applying FILLMODE here
(https://github.com/postgres/postgres/blob/REL_15_2/src/backend/utils/adt/formatting.c#L5563)
it will try to get the character at Np->last_relevant, which is out of
bounds.
From | Date | Subject | |
---|---|---|---|
Next Message | Richard Guo | 2023-03-14 03:01:40 | ERROR: PlaceHolderVar found where not expected |
Previous Message | Tom Lane | 2023-03-13 20:23:31 | Re: BUG #17837: The potential risks associated with executing "commit" in a procedure. |