Re: pgsql: Fix several one-byte buffer over-reads in to_number

Piotr Stefaniak <postgres@piotr-stefaniak.me> writes:
> I've been meaning to update my patch like this, but didn't want to
> bother you before trying to find more issues with formatting.c (still
> haven't found the time for that, sadly):

> -       if (*Np->inout_p == ' ')
> +       while (!OVERLOAD_TEST && isspace((unsigned char) *Np->inout_p))
>                  Np->inout_p++;

Meh.  I agree that replacing the "== ' '" test with isspace() would be
an improvement, since that seems to be the way it's done elsewhere in
formatting.c.  But changing this into a loop, so that it's willing to
consume any amount of whitespace, is a nontrivial change in the
specification of to_number().  I'm not at all sure it's a good idea;
IMO the point of to_number() is to parse numbers according to a fairly
tightly controlled format.

I'd even argue that unconditionally consuming a single space is the wrong
thing here.  Rather, I think what this is meant to be doing is treating a
space as one of the possible alternatives for a sign character, and so
instead of this what the code ought to be is an alternative on the same
footing as '+' or '-', a few lines down:

            else if (*Np->inout_p == '+')
            {
                *Np->number = '+';        /* set + */
                Np->inout_p++;
            }
+            else if (isspace((unsigned char) *Np->inout_p))
+            {
+                *Np->number = '+';        /* set + */
+                Np->inout_p++;
+            }
        }
    }


            regards, tom lane