From 1f2b319204ba0fae0fbf105e1eb531879c67294b Mon Sep 17 00:00:00 2001
From: Ayush Tiwari <ayushtiwari.slg01@gmail.com>
Date: Tue, 12 May 2026 19:20:08 +0000
Subject: [PATCH v2] Fix refint cascade UPDATE crash with NULL keys

check_foreign_key() builds cascade UPDATE queries using the new key
value retrieved by SPI_getvalue().  After commit 260e97733bf
(CVE-2026-6637) it passes that value through quote_literal_cstr() to
properly escape literals in the generated SQL.

When the new key value is NULL, however, SPI_getvalue() returns a NULL
pointer, which quote_literal_cstr() then dereferences in its strlen()
call, crashing the backend.

Emit the SQL NULL keyword directly when SPI_getvalue() returns NULL.

Reported-by: Nikita Kalinin <n.kalinin@postgrespro.ru>
Discussion: https://postgr.es/m/19476-bd04ea6241345303@postgresql.org
---
 contrib/spi/refint.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/contrib/spi/refint.c b/contrib/spi/refint.c
index c44c87bcd96..5428b511c16 100644
--- a/contrib/spi/refint.c
+++ b/contrib/spi/refint.c
@@ -486,8 +486,17 @@ check_foreign_key(PG_FUNCTION_ARGS)
 						Assert(fn > 0); /* already checked above */
 						nv = SPI_getvalue(newtuple, tupdesc, fn);
 
-						appendStringInfo(&sql, " %s = %s ",
-										 args2[k], quote_literal_cstr(nv));
+						/*
+						 * SPI_getvalue() returns NULL for SQL NULL values.
+						 * Emit the NULL keyword directly rather than passing
+						 * a NULL pointer to quote_literal_cstr(), which would
+						 * dereference it.
+						 */
+						if (nv == NULL)
+							appendStringInfo(&sql, " %s = NULL ", args2[k]);
+						else
+							appendStringInfo(&sql, " %s = %s ",
+											 args2[k], quote_literal_cstr(nv));
 						if (k < nkeys)
 							appendStringInfoString(&sql, ", ");
 					}
-- 
2.43.0