Fix potential buffer overflow when len(typname) > 32

The fixed size buffer tmp[32] was not updated when type casting was added.

Reported by Ian Sollars

diff --git a/src/query.c b/src/query.c
index 1deba9a98f2ccc74cb37e26d850caed1779c7a8d..c734bf0ba83e0a0bc0c0b9c57f15f827da51d1c5 100644 (file)
--- a/src/query.c
+++ b/src/query.c
@@ -69,13 +69,13 @@ plproxy_query_add_const(QueryBuffer *q, const char *data)
 static void
 add_ref(StringInfo buf, int sql_idx, ProxyFunction *func, int fn_idx, bool add_type)
 {
-       char            tmp[32];
+       char            tmp[1 + 3 + 2 + NAMEDATALEN*2 + 1];
 
        if (add_type)
-               sprintf(tmp, "$%d::%s", sql_idx + 1,
+               snprintf(tmp, sizeof(tmp), "$%d::%s", sql_idx + 1,
                                func->arg_types[fn_idx]->name);
        else
-               sprintf(tmp, "$%d", sql_idx + 1);
+               snprintf(tmp, sizeof(tmp), "$%d", sql_idx + 1);
        appendStringInfoString(buf, tmp);
 }