From 939d10cd8711fdeb7f0ff62c9c6b08e3eddbba3e Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Sun, 3 Jan 2016 16:26:38 -0500
Subject: [PATCH] Guard against null arguments in
binary_upgrade_create_empty_extension().
The CHECK_IS_BINARY_UPGRADE macro is not sufficient security protection
if we're going to dereference pass-by-reference arguments before it.
But in any case we really need to explicitly check PG_ARGISNULL for all
the arguments of a non-strict function, not only the ones we expect null
values for.
Oversight in commits 30982be4e5019684e1772dd9170aaa53f5a8e894 and
f92fc4c95ddcc25978354a8248d3df22269201bc. Found by Andreas Seltenreich.
(The other usages in pg_upgrade_support.c seem safe.)
---
src/backend/utils/adt/pg_upgrade_support.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/src/backend/utils/adt/pg_upgrade_support.c b/src/backend/utils/adt/pg_upgrade_support.c
index b5c732bfca2..912eadaf369 100644
--- a/src/backend/utils/adt/pg_upgrade_support.c
+++ b/src/backend/utils/adt/pg_upgrade_support.c
@@ -129,16 +129,28 @@ binary_upgrade_set_next_pg_authid_oid(PG_FUNCTION_ARGS)
Datum
binary_upgrade_create_empty_extension(PG_FUNCTION_ARGS)
{
- text *extName = PG_GETARG_TEXT_PP(0);
- text *schemaName = PG_GETARG_TEXT_PP(1);
- bool relocatable = PG_GETARG_BOOL(2);
- text *extVersion = PG_GETARG_TEXT_PP(3);
+ text *extName;
+ text *schemaName;
+ bool relocatable;
+ text *extVersion;
Datum extConfig;
Datum extCondition;
List *requiredExtensions;
CHECK_IS_BINARY_UPGRADE;
+ /* We must check these things before dereferencing the arguments */
+ if (PG_ARGISNULL(0) ||
+ PG_ARGISNULL(1) ||
+ PG_ARGISNULL(2) ||
+ PG_ARGISNULL(3))
+ elog(ERROR, "null argument to binary_upgrade_create_empty_extension is not allowed");
+
+ extName = PG_GETARG_TEXT_PP(0);
+ schemaName = PG_GETARG_TEXT_PP(1);
+ relocatable = PG_GETARG_BOOL(2);
+ extVersion = PG_GETARG_TEXT_PP(3);
+
if (PG_ARGISNULL(4))
extConfig = PointerGetDatum(NULL);
else
--
GitLab