Skip to content

Commit e1f7173

Browse files
committed
Avoid potential buffer overflow crash
A pointer to a C string was treated as a pointer to a "name" datum and passed to SPI_execute_plan(). This pointer would then end up being passed through datumCopy(), which would try to copy the entire 64 bytes of name data, thus running past the end of the C string. Fix by converting the string to a proper name structure. Found by LLVM AddressSanitizer.
1 parent 92a7521 commit e1f7173

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

src/backend/utils/adt/ruleutils.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -454,7 +454,7 @@ pg_get_viewdef_worker(Oid viewoid, int prettyFlags)
454454
* Get the pg_rewrite tuple for the view's SELECT rule
455455
*/
456456
args[0] = ObjectIdGetDatum(viewoid);
457-
args[1] = PointerGetDatum(ViewSelectRuleName);
457+
args[1] = DirectFunctionCall1(namein, CStringGetDatum(ViewSelectRuleName));
458458
nulls[0] = ' ';
459459
nulls[1] = ' ';
460460
spirc = SPI_execute_plan(plan_getviewrule, args, nulls, true, 2);

0 commit comments

Comments
 (0)