Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163

Thank you for figuring out the problem, Tom!

> but the declaration that the regress.so functions expect is what's in
> src/test/regress/sql/create_type.sql:
>
> CREATE TYPE widget (
> internallength = 24,
> input = widget_in,
> output = widget_out,
> typmod_in = numerictypmodin,
> typmod_out = numerictypmodout,
> alignment = double
> );

After using the correct type you mentioned, the test case does not
trigger crash anymore.

But I am bit wondering whether it is a bug. I think PostgreSQL should
not directly crash because of a incorrect datatype. Maybe PostgreSQL can
return an error?

Best wishes,
Zuming

------------------------------------------------------------------------
*From:* Tom Lane [mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us]
*Sent:* Sunday, January 7, 2024 at 8:16 PM
*To:* zuming(dot)jiang(at)inf(dot)ethz(dot)ch
*Cc:* pgsql-bugs(at)lists(dot)postgresql(dot)org
*Subject:* BUG #18276: Heap-buffer-overflow triggered in
src/backend/utils/adt/datum.c:163

> PG Bug reporting form<noreply(at)postgresql(dot)org> writes:
>> My fuzzer finds a heap-buffer-overflow bug in PostgreSQL 17devel, which
>> makes PostgreSQL crash.
> All I see here is a datatype declaration that doesn't match what the
> C functions expect. You wrote:
>
>> CREATE TYPE widget (
>> input = widget_in,
>> output = widget_out,
>> alignment = double
>> );
> but the declaration that the regress.so functions expect is what's in
> src/test/regress/sql/create_type.sql:
>
> CREATE TYPE widget (
> internallength = 24,
> input = widget_in,
> output = widget_out,
> typmod_in = numerictypmodin,
> typmod_out = numerictypmodout,
> alignment = double
> );
>
> That is, widget_in expects it should produce a fixed-length Datum
> (24 bytes long, with no length word). But you declared the type
> as variable-length, meaning that datumCopy expects to find a length
> word. That discrepancy leads directly to the reported crash.
>
> regards, tom lane