From 0f8ff3e467b2b52e8c0c44b01a1f9a4495949ba1 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Sat, 23 Nov 2013 07:25:37 -0500 Subject: [PATCH] Avoid potential buffer overflow crash A pointer to a C string was treated as a pointer to a "name" datum and passed to SPI_execute_plan(). This pointer would then end up being passed through datumCopy(), which would try to copy the entire 64 bytes of name data, thus running past the end of the C string. Fix by converting the string to a proper name structure. Found by LLVM AddressSanitizer. --- src/backend/utils/adt/ruleutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/utils/adt/ruleutils.c b/src/backend/utils/adt/ruleutils.c index fbade83746..ff983cca5d 100644 --- a/src/backend/utils/adt/ruleutils.c +++ b/src/backend/utils/adt/ruleutils.c @@ -633,7 +633,7 @@ pg_get_viewdef_worker(Oid viewoid, int prettyFlags, int wrapColumn) * Get the pg_rewrite tuple for the view's SELECT rule */ args[0] = ObjectIdGetDatum(viewoid); - args[1] = PointerGetDatum(ViewSelectRuleName); + args[1] = DirectFunctionCall1(namein, CStringGetDatum(ViewSelectRuleName)); nulls[0] = ' '; nulls[1] = ' '; spirc = SPI_execute_plan(plan_getviewrule, args, nulls, true, 2);