Detect buffer underflow in get_th()

Input with zero length can result in a buffer underflow when
accessing *(num + (len - 1)), as (len - 1) would produce a negative
index.  Add an assertion for zero-length input to prevent it.

This was found by ALT Linux Team.

Reviewing the call sites shows that get_th() currently cannot be
applied to an empty string: it is always called on a string containing
a number we've just printed.  Therefore, an assertion rather than a
user-facing error message is sufficient.

Co-authored-by: Alexander Kuznetsov <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/[email protected]

Author: petere

src/backend/utils/adt/formatting.c

@@ -1565,6 +1565,8 @@ get_th(char *num, int type)
 	int			len = strlen(num),
 				last;
 
+	Assert(len > 0);
+
 	last = *(num + (len - 1));
 	if (!isdigit((unsigned char) last))
 		ereport(ERROR,