Re: BUG #4791: NULL value in function causes reproducible segmentation fault

On 2009-05-05, Sikkerhed.org ApS <support@sikkerhed.org> wrote:
>
> The following bug has been logged online:
>
> Bug reference:      4791
> Logged by:          Sikkerhed.org ApS
> Email address:      support@sikkerhed.org
> PostgreSQL version: 8.3.7-0lenny1
> Operating system:   Debian GNU/Linux 5.0.1 stable (fully updated)
> Description:        NULL value in function causes reproducible segmentation
> fault
> Details:
>
> We are using a couple of functions in PostgreSQL, namely
>
> CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
> '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C';
>
> CREATE OR REPLACE FUNCTION sha1(text) RETURNS text AS 'SELECT
> ENCODE(DIGEST($1, ''sha1''), ''hex'') AS result' LANGUAGE 'SQL';
>
>
> We experienced a bad crash on our production server, and narrowed it down to
> a reproducible test case.
>
> The following query will crash the server every time:
>
> SELECT SHA1(NULL);
>
> Please let us know if you require more information.

AFAICT this exploits a documented feature of the 'C' language, namely
if you crash the C the backend is compromised.

the fix is easy:

 CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
 '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C'
 RETURNS NULL ON NULL INPUT ;