| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | gorcom2012(at)gmail(dot)com |
| Subject: | BUG #18908: DEREF_OF_NULL: After having been assigned to a NULL value at descriptor.c:203 |
| Date: | 2025-04-30 11:25:56 |
| Message-ID: | 18908-6531c66d23729837@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 18908
Logged by: Eugeny Goryachev
Email address: gorcom2012(at)gmail(dot)com
PostgreSQL version: 17.4
Operating system: Ubuntu
Description:
DEREF_OF_NULL.EX.COND After having been assigned to a NULL value at
descriptor.c:203, pointer '0' is passed as 5th parameter in call to function
'ECPGdump_a_type' at descriptor.c:203, where it is dereferenced at
type.c:332.
In the file /src/interfaces/ecpg/preproc/descriptor.c, in the function
output_get_descr(), there is a call to ECPGdump_a_type() with an explicit
NULL passed as the 5th parameter:
void
output_get_descr(char *desc_name, char *index)
{
***
ECPGdump_a_type(base_yyout, v->name, v->type, v->brace_level,
NULL, NULL, -1, NULL, NULL, str_zero, NULL, NULL);
***
}
This NULL parameter is then passed to the ECPGdump_a_struct() function,
where it gets dereferenced:
static void
ECPGdump_a_struct(FILE *o, const char *name, const char *ind_name, char
*arrsize, struct ECPGtype *type, struct ECPGtype *ind_type, const char
*prefix, const char *ind_prefix)
{
***
char *pbuf = (char *) mm_alloc(strlen(name) + ((prefix == NULL) ? 0 :
strlen(prefix)) + 3);
***
}
When name == NULL, the strlen(name) call will cause a Segmentation Fault.
To fix this issue, I propose the following patch:
diff --git a/src/interfaces/ecpg/preproc/type.c
b/src/interfaces/ecpg/preproc/type.c
index a842bb6a1fe..7ffae74bcf2 100644
--- a/src/interfaces/ecpg/preproc/type.c
+++ b/src/interfaces/ecpg/preproc/type.c
@@ -587,7 +587,7 @@ ECPGdump_a_struct(FILE *o, const char *name, const char
*ind_name, char *arrsize
struct ECPGstruct_member *p,
*ind_p = NULL;
char *pbuf = (char *) mm_alloc(strlen(name) + ((prefix == NULL) ?
0 : strlen(prefix)) + 3);
- char *ind_pbuf = (char *) mm_alloc(strlen(ind_name) +
((ind_prefix == NULL) ? 0 : strlen(ind_prefix)) + 3);
+ char *ind_pbuf = (char *) mm_alloc(((ind_name == NULL) ? 0 :
strlen(ind_name)) + ((ind_prefix == NULL) ? 0 : strlen(ind_prefix)) + 3);
if (atoi(arrsize) == 1)
sprintf(pbuf, "%s%s.", prefix ? prefix : "", name);
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Gustafsson | 2025-04-30 18:19:21 | Re: BUG #17695: Failed Assert in logical replication snapbuild. |
| Previous Message | Álvaro Herrera | 2025-04-30 10:45:11 | Re: pg_restore error with partitioned table having exclude constraint |