BUG #18680: [ECPG] heap-use-after-free (read)

The following bug has been logged on the website:

Bug reference: 18680
Logged by: Stanislav Osipov
Email address: stasos24(at)gmail(dot)com
PostgreSQL version: 17.0
Operating system: Ubuntu 22
Description:

"Date": "2024-10-31T12:09:38.295648+00:00",
"Uname": "Linux d5dbeabbf3a9 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1
(2023-08-16) x86_64 x86_64 x86_64 GNU/Linux",
"OS": "Ubuntu",
"OSRelease": "22.04",
"Architecture": "amd64",
"ExecutablePath": "./src/interfaces/ecpg/preproc/ecpg",
"ProcCmdline": "./src/interfaces/ecpg/preproc/ecpg
/final/default/crashes/id:000078,sig:06,src:004854,time:76305176,execs:20082633,op:havoc,rep:16.sql",
"CrashSeverity": {
"Type": "NOT_EXPLOITABLE",
"ShortDescription": "heap-use-after-free(read)",
"Description": "Use of deallocated memory",
"Explanation": "The target crashed when reading from memory after it has
been freed."
},
"Stacktrace": [
" #0 0x4344f5 in strlen
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x4344f5)",
" #1 0x538e7c in cat2_str
/postgres/src/interfaces/ecpg/preproc/preproc.y:141:51",
" #2 0x538875 in cat_str
/postgres/src/interfaces/ecpg/preproc/preproc.y:165:13",
" #3 0x52c0f5 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.y",
" #4 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
" #5 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
" #6 0x7ffff7caee3f in __libc_start_main
csu/../csu/libc-start.c:392:3",
" #7 0x420434 in _start
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x420434)"
],
"Registers": {},
"Disassembly": [],
"Package": "",
"PackageVersion": "",
"PackageArchitecture": "",
"PackageDescription": "",
"AsanReport": [
"==2714==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c000009400 at pc 0x0000004344f6 bp 0x7fffffff9720 sp 0x7fffffff8ee0",
"READ of size 2 at 0x60c000009400 thread T0",
" #0 0x4344f5 in strlen
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x4344f5)",
" #1 0x538e7c in cat2_str
/postgres/src/interfaces/ecpg/preproc/preproc.y:141:51",
" #2 0x538875 in cat_str
/postgres/src/interfaces/ecpg/preproc/preproc.y:165:13",
" #3 0x52c0f5 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.y",
" #4 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
" #5 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
" #6 0x7ffff7caee3f in __libc_start_main
csu/../csu/libc-start.c:392:3",
" #7 0x420434 in _start
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x420434)",
"",
"0x60c000009400 is located 0 bytes inside of 121-byte region
[0x60c000009400,0x60c000009479)",
"freed by thread T0 here:",
" #0 0x49d0b2 in free
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x49d0b2)",
" #1 0x52a256 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.y",
" #2 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
" #3 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
"",
"previously allocated by thread T0 here:",
" #0 0x49d31d in __interceptor_malloc
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x49d31d)",
" #1 0x53bd32 in mm_alloc
/postgres/src/interfaces/ecpg/preproc/type.c:15:17",
" #2 0x524150 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.y",
" #3 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
" #4 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
"",
"SUMMARY: AddressSanitizer: heap-use-after-free
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x4344f5) in strlen",
"Shadow bytes around the buggy address:",
" 0x0c187fff9230: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd",
" 0x0c187fff9240: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa",
" 0x0c187fff9250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd",
" 0x0c187fff9260: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd",
" 0x0c187fff9270: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa",
"=>0x0c187fff9280:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd",
" 0x0c187fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
" 0x0c187fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
" 0x0c187fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
" 0x0c187fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
" 0x0c187fff92d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
"Shadow byte legend (one shadow byte represents 8 application
bytes):",
" Addressable: 00",
" Partially addressable: 01 02 03 04 05 06 07",
" Heap left redzone: fa",
" Freed heap region: fd",
" Stack left redzone: f1",
" Stack mid redzone: f2",
" Stack right redzone: f3",
" Stack after return: f5",
" Stack use after scope: f8",
" Global redzone: f9",
" Global init order: f6",
" Poisoned by user: f7",
" Container overflow: fc",
" Array cookie: ac",
" Intra object redzone: bb",
" ASan internal: fe",
" Left alloca redzone: ca",
" Right alloca redzone: cb",
"==2714==ABORTING"
],
"UbsanReport": [],
"PythonReport": [],
"GoReport": [],
"JavaReport": [],
"RustReport": [],
"JsReport": [],
"CSharpReport": [],
"CrashLine": "/postgres/src/interfaces/ecpg/preproc/preproc.y:141:51",
"Source": [
" 137 ",
" 138 static char *",
" 139 cat2_str(char *str1, char *str2)",
" 140 {",
"--->141 \tchar * res_str\t= (char *)mm_alloc(strlen(str1) +
strlen(str2) + 2);",
" 142 ",
" 143 \tstrcpy(res_str, str1);",
" 144 \tif (strlen(str1) != 0 && strlen(str2) != 0)",
" 145 \t\tstrcat(res_str, \" \");",
" 146 \tstrcat(res_str, str2);"
]

crash_file:
```
execSQL--
CREATE FUNCTION u()LANGUAGE S
BEGIN ATOMIC
SELECT(0);
```