Re: BUG #1011: Explain analyze "query" cause segv

"PostgreSQL Bugs List" <pgsql-bugs@postgresql.org> writes:
> There is test case (notice there is ltree column):

Seems to be a buffer overrun in lquery_out().  I've applied the attached
patch for 7.4.1.

            regards, tom lane

*** contrib/ltree/ltree_io.c.orig    Sun Aug  3 20:43:10 2003
--- contrib/ltree/ltree_io.c    Wed Dec 17 15:09:40 2003
***************
*** 498,518 ****
                 *ptr;
      int            i,
                  j,
!                 totallen = 0;
      lquery_level *curqlevel;
      lquery_variant *curtlevel;

      curqlevel = LQUERY_FIRST(in);
      for (i = 0; i < in->numlevel; i++)
      {
          if (curqlevel->numvar)
!             totallen = (curqlevel->numvar * 4) + 1 + curqlevel->totallen;
          else
!             totallen = 2 * 11 + 4;
!         totallen++;
          curqlevel = LQL_NEXT(curqlevel);
      }
-

      ptr = buf = (char *) palloc(totallen);
      curqlevel = LQUERY_FIRST(in);
--- 498,517 ----
                 *ptr;
      int            i,
                  j,
!                 totallen = 1;
      lquery_level *curqlevel;
      lquery_variant *curtlevel;

      curqlevel = LQUERY_FIRST(in);
      for (i = 0; i < in->numlevel; i++)
      {
+         totallen++;
          if (curqlevel->numvar)
!             totallen += 1 + (curqlevel->numvar * 4) + curqlevel->totallen;
          else
!             totallen += 2 * 11 + 4;
          curqlevel = LQL_NEXT(curqlevel);
      }

      ptr = buf = (char *) palloc(totallen);
      curqlevel = LQUERY_FIRST(in);