1
0
mirror of https://github.com/postgres/postgres.git synced 2025-10-24 01:29:19 +03:00

Avoid potential buffer overflow crash

A pointer to a C string was treated as a pointer to a "name" datum and
passed to SPI_execute_plan().  This pointer would then end up being
passed through datumCopy(), which would try to copy the entire 64 bytes
of name data, thus running past the end of the C string.  Fix by
converting the string to a proper name structure.

Found by LLVM AddressSanitizer.
This commit is contained in:
Peter Eisentraut
2013-11-23 07:25:37 -05:00
parent 92a752151f
commit e1f7173ea1

View File

@@ -454,7 +454,7 @@ pg_get_viewdef_worker(Oid viewoid, int prettyFlags)
* Get the pg_rewrite tuple for the view's SELECT rule * Get the pg_rewrite tuple for the view's SELECT rule
*/ */
args[0] = ObjectIdGetDatum(viewoid); args[0] = ObjectIdGetDatum(viewoid);
args[1] = PointerGetDatum(ViewSelectRuleName); args[1] = DirectFunctionCall1(namein, CStringGetDatum(ViewSelectRuleName));
nulls[0] = ' '; nulls[0] = ' ';
nulls[1] = ' '; nulls[1] = ' ';
spirc = SPI_execute_plan(plan_getviewrule, args, nulls, true, 2); spirc = SPI_execute_plan(plan_getviewrule, args, nulls, true, 2);