| From: | Галкин Сергей <galkin(at)rutoken(dot)ru> |
|---|---|
| To: | "pgadmin-hackers(at)lists(dot)postgresql(dot)org" <pgadmin-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | DEREF_AFTER_NULL: src/common/jsonapi.c:2529 |
| Date: | 2026-04-06 08:09:46 |
| Message-ID: | 6c6cc4b06b8e4f3ab91029c5e7f2e479@rutoken.ru |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
Hello, a static analyzer pointed out a possible NULL dereference at the end of json_errdetail() (src/common/jsonapi.c):
return lex->errormsg->data;
That seemed plausible to me, since there is a comment just above saying that lex->errormsg can be NULL in shlib code. I also checked PQExpBufferBroken(), and it does handle NULL, but that call is under #ifdef, while the final access to lex->errormsg->data is unconditional.
I may be missing some invariant here, but it seems worth adding an explicit NULL check. I prepared a corresponding patch and am attaching it below in case you agree that this is a real issue.
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 1145d93945f..192040b5443 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -2525,6 +2525,9 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
if (PQExpBufferBroken(lex->errormsg))
return _("out of memory while constructing error description");
#endif
+
+ if (!lex->errormsg)
+ return _("out of memory while constructing error description");
return lex->errormsg->data;
}
Best regards, Galkin Sergey
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Added-an-additional-check-when-dereferencing-a-point.patch | text/x-patch | 769 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ashesh Vashi | 2026-04-06 08:40:25 | Re: DEREF_AFTER_NULL: src/common/jsonapi.c:2529 |
| Previous Message | Akshay Joshi | 2026-04-02 10:23:11 | pgAdmin 4 v9.14 Released |