Re: [PATCH] Fix NULL dereference in pg_get_database_ddl()

On Fri, 10 Apr 2026 at 19:27, Ayush Tiwari <ayushtiwari(dot)slg01(at)gmail(dot)com>
wrote:

> Hi,
>
> pg_get_database_ddl_internal() can dereference a NULL pointer when
> pg_database.dattablespace points to a tablespace OID that no longer
> exists.
>
> The immediate issue is that get_tablespace_name() may return NULL, but
> the result is passed directly to pg_strcasecmp():
>
> spcname = get_tablespace_name(dbform->dattablespace);
> if (pg_strcasecmp(spcname, "pg_default") != 0)
> ...
>
> That leads to a backend crash. I reproduced it on current master as a
> SIGSEGV with crash recovery.
>
> This function was introduced by commit a4f774cf1c7.
>
> Deterministic reproduction:
>
> CREATE DATABASE regression_testdb;
> SET allow_system_table_mods = on;
> UPDATE pg_database
> SET dattablespace = 99999
> WHERE datname = 'regression_testdb';
> RESET allow_system_table_mods;
>
> SELECT * FROM pg_get_database_ddl('regression_testdb');
>
> The attached patch fixes this by checking for NULL before calling
> pg_strcasecmp(). In that case, pg_get_database_ddl() simply omits the
> TABLESPACE clause.
>
> I also added a regression test in database_ddl.sql that exercises this
> case by setting dattablespace to a non-existent OID and verifying that
> the function returns successfully.
>
> Patch attached. Please review and let me know if it needs any edits.
> Thanks!
>
> Regards,
> Ayush Tiwari
>

Re-attaching patch without trailing white-space

Regards,
Ayush