Avoid integer overflow and buffer overrun in hstore_to_json().

Tom Lane <tgl@sss.pgh.pa.us>

Commit: f44290b7b3763f339ed66f883c0e85bb3c3c4e88
Author: Tom Lane <tgl@sss.pgh.pa.us>
Date: 2014-11-04T21:54:59Z
Releases: 9.3.6
Avoid integer overflow and buffer overrun in hstore_to_json().

This back-patches commit 0c5783ff301ae3e470000c918bfc2395129de4c5 into the
9.3 branch.  At the time, Heikki just thought he was fixing an unlikely
integer-overflow scenario, but in point of fact the original coding was
hopelessly broken: it supposed that escape_json never enlarges the data
more than 2X, which is wrong on its face.  The revised code eliminates
making any a-priori assumptions about the output length.

Per report from Saul Costa.  The bogus code doesn't exist before 9.3,
so no other branches need fixing.

Files

PathChange+/−
contrib/hstore/hstore_io.c modified +41 −109