Fix one-byte buffer overrun in PQprintTuples().

tglsfdc · tglsfdc · commit 59d70a5e9c9a · 2013-01-20T23:44:11.000-05:00
This bug goes back to the original Postgres95 sources.  Its significance
to modern PG versions is marginal, since we have not used PQprintTuples()
internally in a very long time, and it doesn't seem to have ever been
documented either.  Still, it *is* exposed to client apps, so somebody
out there might possibly be using it.

Xi Wang
diff --git a/src/interfaces/libpq/fe-print.c b/src/interfaces/libpq/fe-print.c
@@ -686,7 +686,6 @@ PQprintTuples(const PGresult *res,
 	int			i,
 				j;
 	char		formatString[80];
-
 	char	   *tborder = NULL;
 
 	nFields = PQnfields(res);
@@ -705,15 +704,15 @@ PQprintTuples(const PGresult *res,
 			int			width;
 
 			width = nFields * 14;
-			tborder = malloc(width + 1);
+			tborder = (char *) malloc(width + 1);
 			if (!tborder)
 			{
 				fprintf(stderr, libpq_gettext("out of memory\n"));
 				exit(1);
 			}
-			for (i = 0; i <= width; i++)
+			for (i = 0; i < width; i++)
 				tborder[i] = '-';
-			tborder[i] = '\0';
+			tborder[width] = '\0';
 			fprintf(fout, "%s\n", tborder);
 		}
 
