Re: BUG #18925: Heap-buffer-overflow: pglz_compress with pglz_stategy_always
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Dilip Kumar <dilipbalaut@gmail.com>, stasos24@gmail.com,
pgsql-bugs@lists.postgresql.org
Date: 2025-05-31T23:46:25Z
Lists: pgsql-bugs
Daniel Gustafsson <daniel@yesql.se> writes: > The way I read it there is now way to reproduce this as the codepath used in > the fuzzer ins't present in postgres (PGLZ_strategy_always is not used by any > callsite). > Whether or not there is a bug in the compression code, or PGLZ_strategy_always > being incorrectly defined, or none of the above, remains to be seen. I think the bug is in the test program: it's allocating an output buffer of the same size as the input buffer. This does not conform to the API spec for pglz_compress: * int32 * pglz_compress(const char *source, int32 slen, char *dest, * const PGLZ_Strategy *strategy); * * source is the input data to be compressed. * * slen is the length of the input data. * * dest is the output area for the compressed result. * It must be at least as big as PGLZ_MAX_OUTPUT(slen). PGLZ_MAX_OUTPUT adds 4 bytes to the size, which the test program is not doing, so an output buffer overrun can be expected no matter which strategy is selected. regards, tom lane