Re: BUG #18908: DEREF_OF_NULL: After having been assigned to a NULL value at descriptor.c:203

Поиск
Список
Период
Сортировка
От Алена Васильева
Тема Re: BUG #18908: DEREF_OF_NULL: After having been assigned to a NULL value at descriptor.c:203
Дата
Msg-id CABg3sZqmmRQ_SzxGPtKFNZXUtU_nUxmfOJCOgP+kC+myBzoU+Q@mail.gmail.com
обсуждение исходный текст
Ответ на BUG #18908: DEREF_OF_NULL: After having been assigned to a NULL value at descriptor.c:203  (PG Bug reporting form <noreply@postgresql.org>)
Список pgsql-bugs
Дерево обсуждения

Hello,

This is regarding bug report BUG #18908: 18908-6531c66d23729837@postgresql.org.

I have reviewed this block of code and concluded that it does not require any fixes. This is a false positive from the static analyzer.

In the output_get_descr() function, there is a call:

```
ECPGdump_a_type(base_yyout, v->name, v->type, v->brace_level,
NULL, NULL, -1, NULL, NULL, str_zero, NULL, NULL);
```
where the 5th parameter is passed as NULL.
Then, in the ECPGdump_a_type() function, this 5th parameter is defined as ind_name and is passed as the 3rd parameter to:
```
ECPGdump_a_struct(o, name, ind_name, str_one, type, ind_type, prefix, ind_prefix);
```
In ECPGdump_a_struct(), there is a dereference of the ind_name pointer:
```
char *ind_pbuf = (char *) mm_alloc(strlen(ind_name) + ((ind_prefix == NULL) ? 0 : strlen(ind_prefix)) + 3);
```
Here, if ind_name == NULL, calling strlen(ind_name) would cause a process crash (segmentation fault).
To demonstrate that this can never happen and that the analyzer is mistaken, let’s look at the condition under which ECPGdump_a_struct() is called from ECPGdump_a_type():
```
switch (type->type)
{
    case ECPGt_struct:
```
That is, only if the processed variable is of type struct.
However, output_get_descr() never processes structs — it only works with descriptors.
The field type->type (which is v->type) comes from:
```
const struct variable *v = find_variable(results->variable);
```
But in output_get_descr(), we process descriptor fields (SQLDA), and results->value is one of the descriptor’s fields.
All these fields are primitive types, not structs:
```
/* descriptor items */
enum ECPGdtype
{
    ECPGd_count = 1,
    ECPGd_data,
    ECPGd_di_code,
    ECPGd_di_precision,
    ECPGd_indicator,
    ECPGd_key_member,
    ECPGd_length,
    ECPGd_name,
    ECPGd_nullable,
    ECPGd_octet,
    ECPGd_precision,
    ECPGd_ret_length,
    ECPGd_ret_octet,
    ECPGd_scale,
    ECPGd_type,
    ECPGd_EODT, /* End of descriptor types. */
    ECPGd_cardinality
};

```
Therefore, ECPGdump_a_struct() will never be called from output_get_descr() because:
  1. v->type->type will never be ECPGt_struct in this context;
  2. results->value refers to descriptor fields, not C structs.
Consequently, a call to strlen(ind_name) with ind_name == NULL is unreachable.

Best regards, Eugeny Goryachev




В списке pgsql-bugs по дате отправления: