Value scan leaking arbitrary memory when combined with easyjson.RawMessage

[niallnsec]

Describe the bug
When scanning into a field of type easyjson.RawMessage, random binary data from memory is sometimes added to the start of the buffer.

The underlying type of easyjson.RawMessage is a []byte. I have multiple queries which return JSONB data that I then marshal into a struct field of type easyjson.RawMessage. This worked fine in v4 of the package.

Expected behavior
After upgrading to v5, the code would still work.

Actual behavior
After upgrading to v5, marshalling into a field of type easyjson.RawMessage results in random bytes from memory being appended to the start of the buffer most of the time. If I define a temporary variable of type []byte, scan into that and then assign that variable to the struct field the data is marshalled correctly.

Version

• Go: go version go1.19.3 darwin/arm64
• PostgreSQL: PostgreSQL 14.4 on aarch64-unknown-linux-musl, compiled by gcc (Alpine 11.2.1_git20220219) 11.2.1 20220219, 64-bit
• pgx: v5.2.0

[niallnsec]

Interestingly, it also works as expected if I cast the variable before passing it into rows.Scan(), eg:

var rawMsg easyjson.RawMessage
rows.Scan(..., (*[]byte)(&rawMsg), ...)

[jackc]

I've never used easyjson but a quick glance at https://github.com/mailru/easyjson/blob/master/raw.go makes me suspect this is the problem.

func (v *RawMessage) UnmarshalJSON(data []byte) error {
	*v = data
	return nil
}

This is a bug. See https://pkg.go.dev/encoding/json#Unmarshaler.

UnmarshalJSON must copy the JSON data if it wishes to retain the data after returning.

I've posted a bug to their issue tracker. mailru/easyjson#380

[niallnsec]

Thanks for the insight, I had assumed that pgx was treating the data as just raw bytes, I didn't realise it was calling the UnmarshalJSON function.