Re: BUG #18276: Heap-buffer-overflow triggered in src/backend/utils/adt/datum.c:163 - Mailing list pgsql-bugs

Thank you for figuring out the problem, Tom!

but the declaration that the regress.so functions expect is what's in
src/test/regress/sql/create_type.sql:

CREATE TYPE widget (   internallength = 24,   input = widget_in,   output = widget_out,   typmod_in = numerictypmodin,   typmod_out = numerictypmodout,   alignment = double
);

After using the correct type you mentioned, the test case does not trigger crash anymore.

But I am bit wondering whether it is a bug. I think PostgreSQL should not directly crash because of a incorrect datatype. Maybe PostgreSQL can return an error?

Best wishes,
Zuming

PG Bug reporting form <noreply@postgresql.org> writes:

My fuzzer finds a heap-buffer-overflow bug in PostgreSQL 17devel, which
makes PostgreSQL crash.

All I see here is a datatype declaration that doesn't match what the
C functions expect.  You wrote:

CREATE TYPE widget (   input = widget_in,   output = widget_out,   alignment = double
);

but the declaration that the regress.so functions expect is what's in
src/test/regress/sql/create_type.sql:

CREATE TYPE widget (   internallength = 24,   input = widget_in,   output = widget_out,   typmod_in = numerictypmodin,   typmod_out = numerictypmodout,   alignment = double
);

That is, widget_in expects it should produce a fixed-length Datum
(24 bytes long, with no length word).  But you declared the type
as variable-length, meaning that datumCopy expects to find a length
word.  That discrepancy leads directly to the reported crash.
			regards, tom lane