| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | zuming(dot)jiang(at)inf(dot)ethz(dot)ch |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163 |
| Date: | 2024-01-07 19:16:59 |
| Message-ID: | 1633850.1704655019@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> My fuzzer finds a heap-buffer-overflow bug in PostgreSQL 17devel, which
> makes PostgreSQL crash.
All I see here is a datatype declaration that doesn't match what the
C functions expect. You wrote:
> CREATE TYPE widget (
> input = widget_in,
> output = widget_out,
> alignment = double
> );
but the declaration that the regress.so functions expect is what's in
src/test/regress/sql/create_type.sql:
CREATE TYPE widget (
internallength = 24,
input = widget_in,
output = widget_out,
typmod_in = numerictypmodin,
typmod_out = numerictypmodout,
alignment = double
);
That is, widget_in expects it should produce a fixed-length Datum
(24 bytes long, with no length word). But you declared the type
as variable-length, meaning that datumCopy expects to find a length
word. That discrepancy leads directly to the reported crash.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zu-Ming Jiang | 2024-01-07 19:28:28 | Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163 |
| Previous Message | Zu-Ming Jiang | 2024-01-07 19:08:00 | Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163 |