Fix pfree crash in pg_get_role_ddl() and pg_get_database_ddl().

DatumGetArrayTypeP() can return a pointer into the tuple when the
datum is stored as a short varlena, so pfree() on the result crashes.
Use DatumGetArrayTypePCopy() to always get a palloc'd copy.

Bug introduced in 76e514ebb4b and a4f774cf1c7.

Reported-by: Jeff Davis <pgsql@j-davis.com>
Author: Satya Narlapuram <satya.narlapuram@gmail.com>
Discussion: https://postgr.es/m/CAHg+QDdWtv9PKtPZEokwGCNtbv4MVnfYw5wMZrsEj4xizSNe5Q@mail.gmail.com

diff --git a/src/backend/utils/adt/ddlutils.c b/src/backend/utils/adt/ddlutils.c
index b16c277d000563527234aa081bed98983ea1f267..c4f9f86c43ebef71939efac0a246cdf8720f6483 100644 (file)
--- a/src/backend/utils/adt/ddlutils.c
+++ b/src/backend/utils/adt/ddlutils.c
@@ -480,7 +480,7 @@ pg_get_role_ddl_internal(Oid roleid, bool pretty, bool memberships)
                if (isnull)
                        continue;
 
-               role_settings = DatumGetArrayTypeP(datum);
+               role_settings = DatumGetArrayTypePCopy(datum);
 
                deconstruct_array_builtin(role_settings, TEXTOID, &settings, &nulls, &nsettings);
 
@@ -1060,7 +1060,7 @@ pg_get_database_ddl_internal(Oid dbid, bool pretty,
                if (isnull)
                        continue;
 
-               dbconfig = DatumGetArrayTypeP(datum);
+               dbconfig = DatumGetArrayTypePCopy(datum);
 
                deconstruct_array_builtin(dbconfig, TEXTOID, &settings, &nulls, &nsettings);