Thank you for figuring out the problem, Tom!
but the declaration that the regress.so functions expect is what's in
src/test/regress/sql/create_type.sql:
CREATE TYPE widget ( internallength = 24, input = widget_in, output = widget_out, typmod_in = numerictypmodin, typmod_out = numerictypmodout, alignment = double
);
After using the correct type you mentioned, the test case does not trigger crash anymore.
But I am bit wondering whether it is a bug. I think PostgreSQL should not directly crash because of a incorrect datatype. Maybe PostgreSQL can return an error?
Best wishes,
Zuming
PG Bug reporting form <noreply@postgresql.org> writes:
My fuzzer finds a heap-buffer-overflow bug in PostgreSQL 17devel, which
makes PostgreSQL crash.
All I see here is a datatype declaration that doesn't match what the
C functions expect. You wrote:
CREATE TYPE widget ( input = widget_in, output = widget_out, alignment = double
);
but the declaration that the regress.so functions expect is what's in
src/test/regress/sql/create_type.sql:
CREATE TYPE widget ( internallength = 24, input = widget_in, output = widget_out, typmod_in = numerictypmodin, typmod_out = numerictypmodout, alignment = double
);
That is, widget_in expects it should produce a fixed-length Datum
(24 bytes long, with no length word). But you declared the type
as variable-length, meaning that datumCopy expects to find a length
word. That discrepancy leads directly to the reported crash.
regards, tom lane
