Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163
| От | Tom Lane |
|---|---|
| Тема | Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163 |
| Дата | |
| Msg-id | 1633850.1704655019@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163 (PG Bug reporting form <noreply@postgresql.org>) |
| Ответы |
Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163
|
| Список | pgsql-bugs |
PG Bug reporting form <noreply@postgresql.org> writes:
> My fuzzer finds a heap-buffer-overflow bug in PostgreSQL 17devel, which
> makes PostgreSQL crash.
All I see here is a datatype declaration that doesn't match what the
C functions expect. You wrote:
> CREATE TYPE widget (
> input = widget_in,
> output = widget_out,
> alignment = double
> );
but the declaration that the regress.so functions expect is what's in
src/test/regress/sql/create_type.sql:
CREATE TYPE widget (
internallength = 24,
input = widget_in,
output = widget_out,
typmod_in = numerictypmodin,
typmod_out = numerictypmodout,
alignment = double
);
That is, widget_in expects it should produce a fixed-length Datum
(24 bytes long, with no length word). But you declared the type
as variable-length, meaning that datumCopy expects to find a length
word. That discrepancy leads directly to the reported crash.
regards, tom lane
В списке pgsql-bugs по дате отправления: