]> granicus.if.org Git - postgresql/commitdiff
Avoid potential buffer overflow crash
authorPeter Eisentraut <peter_e@gmx.net>
Sat, 23 Nov 2013 12:25:37 +0000 (07:25 -0500)
committerPeter Eisentraut <peter_e@gmx.net>
Sat, 23 Nov 2013 12:25:37 +0000 (07:25 -0500)
A pointer to a C string was treated as a pointer to a "name" datum and
passed to SPI_execute_plan().  This pointer would then end up being
passed through datumCopy(), which would try to copy the entire 64 bytes
of name data, thus running past the end of the C string.  Fix by
converting the string to a proper name structure.

Found by LLVM AddressSanitizer.

src/backend/utils/adt/ruleutils.c

index 74b573bd5e62d452444f3fdf654f1e8d5d5a0410..dffac7c5293d93913b7ab0b8193bdd1ae1f07a2d 100644 (file)
@@ -632,7 +632,7 @@ pg_get_viewdef_worker(Oid viewoid, int prettyFlags, int wrapColumn)
         * Get the pg_rewrite tuple for the view's SELECT rule
         */
        args[0] = ObjectIdGetDatum(viewoid);
-       args[1] = PointerGetDatum(ViewSelectRuleName);
+       args[1] = DirectFunctionCall1(namein, CStringGetDatum(ViewSelectRuleName));
        nulls[0] = ' ';
        nulls[1] = ' ';
        spirc = SPI_execute_plan(plan_getviewrule, args, nulls, true, 2);