Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: David Geier <geidav(dot)pg(at)gmail(dot)com>
Cc: pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer
Date: 2025-06-10 13:06:24
Message-ID: 0F71EBA4-D2BD-4951-A95F-C44952434797@yesql.se
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 10 Jun 2025, at 14:59, David Geier <geidav(dot)pg(at)gmail(dot)com> wrote:
>
> Hi hackers!
>
> SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last '\0' it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in EstimateLibraryStateSpace()

The last '\0' written isn't performed in relation to the size, but at a fixed
index in the buffer:

...
}
start_address[0] = '\0';

How would that cause a buffer overflow?

--
Daniel Gustafsson

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Florents Tselai 2025-06-10 13:09:08 Re: Feature: psql - display current search_path in prompt
Previous Message David Geier 2025-06-10 12:59:10 Buffer overflow in SerializeLibraryState() found by Address Sanitizer