NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commite1f7173

committed

Avoid potential buffer overflow crash

A pointer to a C string was treated as a pointer to a "name" datum andpassed to SPI_execute_plan(). This pointer would then end up beingpassed through datumCopy(), which would try to copy the entire 64 bytesof name data, thus running past the end of the C string. Fix byconverting the string to a proper name structure.Found by LLVM AddressSanitizer.

1 parent92a7521 commite1f7173Copy full SHA for e1f7173

File tree

1 file changed

-1

lines changed

src/backend/utils/adt
- ruleutils.c

1 file changed

-1

lines changed

`‎src/backend/utils/adt/ruleutils.c‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -454,7 +454,7 @@ pg_get_viewdef_worker(Oid viewoid, int prettyFlags)`
`454`	`454`	`* Get the pg_rewrite tuple for the view's SELECT rule`
`455`	`455`	`*/`
`456`	`456`	`args[0]=ObjectIdGetDatum(viewoid);`
`457`		`-args[1]=PointerGetDatum(ViewSelectRuleName);`
	`457`	`+args[1]=DirectFunctionCall1(namein,CStringGetDatum(ViewSelectRuleName));`
`458`	`458`	`nulls[0]=' ';`
`459`	`459`	`nulls[1]=' ';`
`460`	`460`	`spirc=SPI_execute_plan(plan_getviewrule,args,nulls, true,2);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite1f7173

File tree

1 file changed

1 file changed

`‎src/backend/utils/adt/ruleutils.c‎`

0 commit comments