Re: BUG #16953: OOB access while converting "interval" to char

Hi,

On Wed, Apr 07, 2021 at 09:09:25AM +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      16953
> Logged by:          Theodor Arsenij Larionov-Trichkin
> Email address:      t.larionov@postgrespro.ru
> PostgreSQL version: 13.2
> Operating system:   Ubuntu 20.04.2 LTS
> Description:        
> 
> 9. Performing this query will result in OOB access of rm_months_lower array
> and as a result crash: SELECT * from TO_CHAR(interval '-1Mon', 'rm');
> 
> Output:
> [...]
> terminated by signal 11: Segmentation fault
> 2021-04-07 12:08:01.013 MSK [33887] DETAIL:  Failed process was running:
> SELECT * from TO_CHAR(interval '-1Mon', 'rm');

Indeed, thanks a lot for the report!

It's because rm/RM are computed in a way that doesn't play nice with negative
values:

                sprintf(s, "%*s", S_FM(n->suffix) ? 0 : -4,
                        rm_months_lower[MONTHS_PER_YEAR - tm->tm_mon]);

PFA a naive patch to fix this problem with some regression tests.  I'm assuming
that -1 month should be january and not december.  I had a quick look at the
rest of formatting.c and didn't spot any similar problem, but another pair of
eyes wouldn't hurt.