Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer

From: David Geier <geidav(dot)pg(at)gmail(dot)com>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer
Date: 2025-06-10 14:21:58
Message-ID: c87fd627-972b-4a17-a83c-b79e2f935d4a@gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

The loop advances the pointer via start_address += len.

--
David Geier
(ServiceNow

On 6/10/2025 3:06 PM, Daniel Gustafsson wrote:
>> On 10 Jun 2025, at 14:59, David Geier <geidav(dot)pg(at)gmail(dot)com> wrote:
>>
>> Hi hackers!
>>
>> SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last '\0' it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in EstimateLibraryStateSpace()
> The last '\0' written isn't performed in relation to the size, but at a fixed
> index in the buffer:
>
> ...
> }
> start_address[0] = '\0';
>
> How would that cause a buffer overflow?
>
> --
> Daniel Gustafsson
>
--
David Geier
(ServiceNow)

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Pavel Stehule 2025-06-10 14:25:51 Re: proposal: schema variables
Previous Message Florents Tselai 2025-06-10 13:37:57 Re: Feature: psql - display current search_path in prompt