| From: | Richard Guo <guofenglinux(at)gmail(dot)com> |
|---|---|
| To: | Pg Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | plpython: NULL pointer dereference on broken sequence objects |
| Date: | 2026-06-25 08:49:31 |
| Message-ID: | CAMbWs49BKM9wP6m8bCXEpHwQKp7usvOGV6Jf=J7FYr_BCpxLqg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
While looking into the recent plperl NULL pointer dereference issue,
which ended up as 4015abe14, I found a similar issue in plpython, with
the help of an LLM tool (Claude 4.8).
There are 6 callers of PySequence_GetItem() in plpython, and none of
them checks the returned result before using it. PySequence_GetItem()
can return NULL whenever an element cannot be fetched, so an object
that claims a length it cannot actually deliver is enough to crash the
backend.
For example:
CREATE FUNCTION test() RETURNS int[] AS $$
class C:
def __len__(self):
return 2
def __getitem__(self, i):
raise ValueError('boom')
return C()
$$ LANGUAGE plpython3u;
SELECT test(); -- crashes
The attached patch checks the result of PySequence_GetItem() in each
place and errors out if it is NULL.
- Richard
| Attachment | Content-Type | Size |
|---|---|---|
| v1-0001-plpython-Fix-NULL-pointer-dereference-for-broken-.patch | application/octet-stream | 14.3 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tatsuro Yamada | 2026-06-25 09:11:59 | RE: Add enable_groupagg GUC parameter to control GroupAggregate usage |
| Previous Message | Shlok Kyal | 2026-06-25 08:47:44 | Re: Support EXCEPT for ALL SEQUENCES publications |