Home > mailing lists

Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer - Mailing list pgsql-hackers

From	David Geier
Subject	Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer
Date	June 10 17:21:58
Msg-id	c87fd627-972b-4a17-a83c-b79e2f935d4a@gmail.com Whole thread Raw
In response to	Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer (Daniel Gustafsson <daniel@yesql.se>)
List	pgsql-hackers

Tree view

The loop advances the pointer via start_address += len.

-- 
David Geier
(ServiceNow

On 6/10/2025 3:06 PM, Daniel Gustafsson wrote:
>> On 10 Jun 2025, at 14:59, David Geier <geidav.pg@gmail.com> wrote:
>>
>> Hi hackers!
>>
>> SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last
'\0'it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in
EstimateLibraryStateSpace()
> The last '\0' written isn't performed in relation to the size, but at a fixed
> index in the buffer:
>
>      ...
>      }
>      start_address[0] = '\0';
>
> How would that cause a buffer overflow?
>
> --
> Daniel Gustafsson
>
-- 
David Geier
(ServiceNow)

pgsql-hackers by date:

From: Florents Tselai
Date: 10 June, 16:37:57
Subject: Re: Feature: psql - display current search_path in prompt

From: Pavel Stehule
Date: 10 June, 17:25:51
Subject: Re: proposal: schema variables

Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer - Mailing list pgsql-hackers

Previous

Next