| From: | Галкин Сергей <galkin(at)rutoken(dot)ru> |
|---|---|
| To: | "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | DEREF_AFTER_NULL: src/common/jsonapi.c:2529 |
| Date: | 2026-04-06 08:26:18 |
| Message-ID: | 0b32e30f2fb94ae3b7f4ee15bbb072c0@rutoken.ru |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello, a static analyzer pointed out a possible NULL dereference at the end of json_errdetail() (src/common/jsonapi.c):
return lex->errormsg->data;
That seemed plausible to me, since there is a comment just above saying that lex->errormsg can be NULL in shlib code. I also checked PQExpBufferBroken(), and it does handle NULL, but that call is under #ifdef, while the final access to lex->errormsg->data is unconditional.
I may be missing some invariant here, but it seems worth adding an explicit NULL check. I prepared a corresponding patch and am attaching it below in case you agree that this is a real issue.
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 1145d93945f..192040b5443 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -2525,6 +2525,9 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
if (PQExpBufferBroken(lex->errormsg))
return _("out of memory while constructing error description");
#endif
+
+ if (!lex->errormsg)
+ return _("out of memory while constructing error description");
return lex->errormsg->data;
}
Best regards, Galkin Sergey
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Added-an-additional-check-when-dereferencing-a-point.patch | application/octet-stream | 769 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexandre Felipe | 2026-04-06 08:29:34 | Re: SLOPE - Planner optimizations on monotonic expressions. |
| Previous Message | Michael Paquier | 2026-04-06 08:21:40 | Re: BM_IO_ERROR flag is lost in TerminateBufferIO due to order of operations in UnlockBufHdrExt |