| From: | Julien Rouhaud <rjuju123(at)gmail(dot)com> |
|---|---|
| To: | wliang(at)stu(dot)xidian(dot)edu(dot)cn |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Report a potential bug caused by a improper call to pfree() |
| Date: | 2022-01-30 13:36:24 |
| Message-ID: | 20220130133624.gmxsaxfvkbg4rz7y@jrouhaud |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hi,
On Sun, Jan 30, 2022 at 10:47:18AM +0800, wliang(at)stu(dot)xidian(dot)edu(dot)cn wrote:
>
> I find a potential bug caused by a improper call to pfree in PostgresSQL 14.1, which is in backend/utils/adt/jsonb_gin.c
>
> Specifically, at line 1116, the pointer 'stack' is assigned with the address of a local variable 'tail'.
> At line 1163, pfree() is called to free 'stack'. However, pfree is designed to free the memory in heap rather than stack.
>
> 1158 case WJB_END_ARRAY:
> 1159 case WJB_END_OBJECT:
> 1160 /* Pop the stack */
> 1161 parent = stack->parent;
> 1162 pfree(stack);
>
> I think it may be a potential bug and can be fixed without any side-effect as:
>
>
> ++ if (stack != &tail)
> 1162 pfree(stack);
I don't think it's necessary, it should be guaranteed that something as been
pushed on the tail, ie. there shouldn't be a WJB_END_* before a corresponding
begin.
Note that the tail also can't have a parent, so even if that scenario could
happen, it would crash in the previous instruction anyway, trying to
dereference a NULL pointer.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2022-01-30 15:29:27 | Re: Report a potential bug caused by a improper call to pfree() |
| Previous Message | Etsuro Fujita | 2022-01-30 10:59:19 | Re: BUG #17355: Server crashes on ExecReScanForeignScan in postgres_fdw when accessing foreign partition |