Re: BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: 3020001251(at)tju(dot)edu(dot)cn
Cc: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input
Date: 2026-06-22 16:37:33
Message-ID: 484822.1782146253@sss.pgh.pa.us
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> Any role with `EXECUTE` on `encrypt_iv` (granted by default when pgcrypto is
> installed) can crash the backend with a single statement:

> ```sql
> CREATE EXTENSION IF NOT EXISTS pgcrypto;
> SELECT encrypt_iv(
> repeat('A', 1073741308)::bytea,
> decode('00112233445566778899aabbccddeeff', 'hex'),
> decode('000102030405060708090a0b0c0d0e0f', 'hex'),
> 'aes'
> );
> ```

> The fix is to clear `od->owner` before calling `free_openssl_cipher` in
> `ResOwnerReleaseOSSLCipher`:

Good catch, thanks for the report!

regards, tom lane

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Laurenz Albe 2026-06-22 17:23:38 Re: BUG #19483: pg_upgrade fails with orphan records in pg_init_priv catalog table
Previous Message Matheus Alcantara 2026-06-22 10:18:46 Re: BUG #19480: PL/Python SRF crashes (SIGSEGV) when function is replaced mid-iteration: use-after-free in PLy_funct