diff options
| author | Peter Eisentraut <peter_e@gmx.net> | 2009-11-03 08:59:16 +0000 |
|---|---|---|
| committer | Peter Eisentraut <peter_e@gmx.net> | 2009-11-03 08:59:16 +0000 |
| commit | 59052a5122dbc56e5dfd615bb199a07ffb7bb03e (patch) | |
| tree | e2ff052b6f76e14db20fcd32ac8a0ae751669225 /src | |
| parent | 01adc8afd55f3ae831e32b6ce19f7c61f4baac28 (diff) | |
| download | postgresql-59052a5122dbc56e5dfd615bb199a07ffb7bb03e.tar.gz postgresql-59052a5122dbc56e5dfd615bb199a07ffb7bb03e.zip | |
Fix obscure segfault condition in PL/Python
In PLy_output(), when the elog() call in the TRY branch throws an exception
(this can happen when a statement timeout kicks in, for example), the
PyErr_SetString() call in the CATCH branch can cause a segfault, because the
Py_XDECREF(so) call before it releases memory that is still used by the sv
variable that PyErr_SetString() uses as argument, because sv points into
memory owned by so.
Backpatched back to 8.0, where this code was introduced.
I also threw in a couple of volatile declarations for variables that are used
before and after the TRY. I don't think they caused the crash that I
observed, but they could become issues.
Diffstat (limited to 'src')
| -rw-r--r-- | src/pl/plpython/plpython.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/src/pl/plpython/plpython.c b/src/pl/plpython/plpython.c index 43c7fce2e5f..7db8369c61f 100644 --- a/src/pl/plpython/plpython.c +++ b/src/pl/plpython/plpython.c @@ -1,7 +1,7 @@ /********************************************************************** * plpython.c - python as a procedural language for PostgreSQL * - * $PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.122 2009/06/11 14:49:14 momjian Exp $ + * $PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.122.2.1 2009/11/03 08:59:16 petere Exp $ * ********************************************************************* */ @@ -2893,9 +2893,9 @@ PLy_fatal(PyObject *self, PyObject *args) static PyObject * PLy_output(volatile int level, PyObject *self, PyObject *args) { - PyObject *so; + PyObject *volatile so; char *volatile sv; - MemoryContext oldcontext; + volatile MemoryContext oldcontext; so = PyObject_Str(args); if (so == NULL || ((sv = PyString_AsString(so)) == NULL)) @@ -2914,6 +2914,10 @@ PLy_output(volatile int level, PyObject *self, PyObject *args) MemoryContextSwitchTo(oldcontext); PLy_error_in_progress = CopyErrorData(); FlushErrorState(); + + PyErr_SetString(PLy_exc_error, sv); + /* Note: If sv came from PyString_AsString(), it points into + * storage owned by so. So free so after using sv. */ Py_XDECREF(so); /* @@ -2921,7 +2925,6 @@ PLy_output(volatile int level, PyObject *self, PyObject *args) * control passes back to PLy_procedure_call, we check for PG * exceptions and re-throw the error. */ - PyErr_SetString(PLy_exc_error, sv); return NULL; } PG_END_TRY(); |