BUG #14468: One byte buffer overlow in quote_literal_cstr()

The following bug has been logged on the website:

Bug reference: 14468
Logged by: Heikki Linnakangas
Email address: hlinnaka(at)iki(dot)fi
PostgreSQL version: 9.6.1
Operating system: All
Description:

postgres=# select format('%L', E'\\');
WARNING: detected write past chunk end in ExprContext 0x55c65ff98fa8
format
--------
E'\\'
(1 row)

This was originally reported against Greenplum, at
https://github.com/greenplum-db/gpdb/issues/1301. The code there isn't quite
the same, but it turned out to be a shared bug.

Looking at quote_literal_cstr(), it simply doesn't take into account the
space needed for the NULL terminator, when it allocates the buffer. The fix
is a straightforward + 1 to the allocation. I'll go and do that shortly, and
backpatch.

hlinnaka(at)iki(dot)fi wrote:

> Looking at quote_literal_cstr(), it simply doesn't take into account the
> space needed for the NULL terminator, when it allocates the buffer. The fix
> is a straightforward + 1 to the allocation. I'll go and do that shortly, and
> backpatch.

Hm, that's a bit confusing. I thought the +3 included the terminator,
but what it's actually for is the optional starting E; and the reason
quote_literal doesn't need similar patching it is that there is no
terminator 'cause it produces varlena. I would think this deserves a
comment ...

--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services