pgsql: Fix two errors with nested CASE/WHEN constructs.
| От | Tom Lane |
|---|---|
| Тема | pgsql: Fix two errors with nested CASE/WHEN constructs. |
| Дата | |
| Msg-id | E1bWlcz-0007FL-6y@gemulon.postgresql.org обсуждение исходный текст |
| Список | pgsql-committers |
Fix two errors with nested CASE/WHEN constructs. ExecEvalCase() tried to save a cycle or two by passing &econtext->caseValue_isNull as the isNull argument to its sub-evaluation of the CASE value expression. If that subexpression itself contained a CASE, then *isNull was an alias for econtext->caseValue_isNull within the recursive call of ExecEvalCase(), leading to confusion about whether the inner call's caseValue was null or not. In the worst case this could lead to a core dump due to dereferencing a null pointer. Fix by not assigning to the global variable until control comes back from the subexpression. Also, avoid using the passed-in isNull pointer transiently for evaluation of WHEN expressions. (Either one of these changes would have been sufficient to fix the known misbehavior, but it's clear now that each of these choices was in itself dangerous coding practice and best avoided. There do not seem to be any similar hazards elsewhere in execQual.c.) Also, it was possible for inlining of a SQL function that implements the equality operator used for a CASE comparison to result in one CASE expression's CaseTestExpr node being inserted inside another CASE expression. This would certainly result in wrong answers since the improperly nested CaseTestExpr would be caused to return the inner CASE's comparison value not the outer's. If the CASE values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. To fix, teach inline_function to check for "bare" CaseTestExpr nodes in the arguments of a function to be inlined, and avoid inlining if there are any. Heikki Linnakangas, Michael Paquier, Tom Lane Report: https://github.com/greenplum-db/gpdb/pull/327 Report: <4DDCEEB8.50602@enterprisedb.com> Security: CVE-2016-5423 Branch ------ REL9_2_STABLE Details ------- http://git.postgresql.org/pg/commitdiff/8b32516db20c836d6e3c31d81adf75b3a297663d Modified Files -------------- src/backend/executor/execQual.c | 22 +++++++--- src/backend/optimizer/util/clauses.c | 81 ++++++++++++++++++++++++++++++++++++ src/test/regress/expected/case.out | 44 ++++++++++++++++++++ src/test/regress/sql/case.sql | 43 +++++++++++++++++++ 4 files changed, 185 insertions(+), 5 deletions(-)
В списке pgsql-committers по дате отправления: