From 939d10cd8711fdeb7f0ff62c9c6b08e3eddbba3e Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Sun, 3 Jan 2016 16:26:38 -0500 Subject: [PATCH] Guard against null arguments in binary_upgrade_create_empty_extension(). The CHECK_IS_BINARY_UPGRADE macro is not sufficient security protection if we're going to dereference pass-by-reference arguments before it. But in any case we really need to explicitly check PG_ARGISNULL for all the arguments of a non-strict function, not only the ones we expect null values for. Oversight in commits 30982be4e5019684e1772dd9170aaa53f5a8e894 and f92fc4c95ddcc25978354a8248d3df22269201bc. Found by Andreas Seltenreich. (The other usages in pg_upgrade_support.c seem safe.) --- src/backend/utils/adt/pg_upgrade_support.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/backend/utils/adt/pg_upgrade_support.c b/src/backend/utils/adt/pg_upgrade_support.c index b5c732bfca..912eadaf36 100644 --- a/src/backend/utils/adt/pg_upgrade_support.c +++ b/src/backend/utils/adt/pg_upgrade_support.c @@ -129,16 +129,28 @@ binary_upgrade_set_next_pg_authid_oid(PG_FUNCTION_ARGS) Datum binary_upgrade_create_empty_extension(PG_FUNCTION_ARGS) { - text *extName = PG_GETARG_TEXT_PP(0); - text *schemaName = PG_GETARG_TEXT_PP(1); - bool relocatable = PG_GETARG_BOOL(2); - text *extVersion = PG_GETARG_TEXT_PP(3); + text *extName; + text *schemaName; + bool relocatable; + text *extVersion; Datum extConfig; Datum extCondition; List *requiredExtensions; CHECK_IS_BINARY_UPGRADE; + /* We must check these things before dereferencing the arguments */ + if (PG_ARGISNULL(0) || + PG_ARGISNULL(1) || + PG_ARGISNULL(2) || + PG_ARGISNULL(3)) + elog(ERROR, "null argument to binary_upgrade_create_empty_extension is not allowed"); + + extName = PG_GETARG_TEXT_PP(0); + schemaName = PG_GETARG_TEXT_PP(1); + relocatable = PG_GETARG_BOOL(2); + extVersion = PG_GETARG_TEXT_PP(3); + if (PG_ARGISNULL(4)) extConfig = PointerGetDatum(NULL); else -- 2.40.0