From: Andrew Dunstan <andrew@dunslane.net>
Date: Tue, 14 Apr 2026 22:25:36 +0000 (-0400)
Subject: Fix pfree crash in pg_get_role_ddl() and pg_get_database_ddl().
X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=1f108fc02ece09da5773ece74e25812cb952ebfc;p=thirdparty%2Fpostgresql.git

Fix pfree crash in pg_get_role_ddl() and pg_get_database_ddl().

DatumGetArrayTypeP() can return a pointer into the tuple when the
datum is stored as a short varlena, so pfree() on the result crashes.
Use DatumGetArrayTypePCopy() to always get a palloc'd copy.

Bug introduced in 76e514ebb4b and a4f774cf1c7.

Reported-by: Jeff Davis <pgsql@j-davis.com>
Author: Satya Narlapuram <satya.narlapuram@gmail.com>
Discussion: https://postgr.es/m/CAHg+QDdWtv9PKtPZEokwGCNtbv4MVnfYw5wMZrsEj4xizSNe5Q@mail.gmail.com
---

diff --git a/src/backend/utils/adt/ddlutils.c b/src/backend/utils/adt/ddlutils.c
index b16c277d000..c4f9f86c43e 100644
--- a/src/backend/utils/adt/ddlutils.c
+++ b/src/backend/utils/adt/ddlutils.c
@@ -480,7 +480,7 @@ pg_get_role_ddl_internal(Oid roleid, bool pretty, bool memberships)
 		if (isnull)
 			continue;
 
-		role_settings = DatumGetArrayTypeP(datum);
+		role_settings = DatumGetArrayTypePCopy(datum);
 
 		deconstruct_array_builtin(role_settings, TEXTOID, &settings, &nulls, &nsettings);
 
@@ -1060,7 +1060,7 @@ pg_get_database_ddl_internal(Oid dbid, bool pretty,
 		if (isnull)
 			continue;
 
-		dbconfig = DatumGetArrayTypeP(datum);
+		dbconfig = DatumGetArrayTypePCopy(datum);
 
 		deconstruct_array_builtin(dbconfig, TEXTOID, &settings, &nulls, &nsettings);