Home > mailing lists

Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer - Mailing list pgsql-hackers

From	Daniel Gustafsson
Subject	Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer
Date	June 10 16:06:24
Msg-id	0F71EBA4-D2BD-4951-A95F-C44952434797@yesql.se Whole thread Raw
Responses	Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer
List	pgsql-hackers

Tree view

> On 10 Jun 2025, at 14:59, David Geier <geidav.pg@gmail.com> wrote:
>
> Hi hackers!
>
> SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last
'\0'it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in
EstimateLibraryStateSpace()

The last '\0' written isn't performed in relation to the size, but at a fixed
index in the buffer:

    ...
    }
    start_address[0] = '\0';

How would that cause a buffer overflow?

--
Daniel Gustafsson

pgsql-hackers by date:

From: Jim Jones
Date: 10 June, 15:51:16
Subject: Re: Feature: psql - display current search_path in prompt

From: Florents Tselai
Date: 10 June, 16:09:08
Subject: Re: Feature: psql - display current search_path in prompt

Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer - Mailing list pgsql-hackers

Previous

Next