The following bug has been logged on the website:
Bug reference: 18910
Logged by: Eugeny Goryachev
Email address: gorcom2012@gmail.com
PostgreSQL version: 17.4
Operating system: Ubuntu
Description:
DEREF_OF_NULL.RET - Pointer returned from function 'palloc0' at
simplehash.h:1080 may be NULL and is dereferenced at simplehash.h:1105.
Issue Description:
In the file /src/include/lib/simplehash.h, within the SH_STAT() function,
there is a call to palloc0() that may return NULL:
uint32 *collisions = (uint32 *) palloc0(tb->size * sizeof(uint32));
Subsequently, the pointer is dereferenced:
collisions[optimal]++;
If collisions == NULL, this would cause a segmentation fault.
Server-side: No issue exists since the server version of palloc never
returns NULL (throws an error instead).
Client utilities: simplehash is used in tools like pg_dump,
pg_verifybackup, and pg_rewind, which use the frontend version of palloc
(from libpgcommon). The frontend variant can return NULL on memory
allocation failure.
Solution:
A NULL check should be added when the FRONTEND macro is defined.
diff --git a/src/include/lib/simplehash.h b/src/include/lib/simplehash.h
index 3e1b1f94616..c4a1419a202 100644
--- a/src/include/lib/simplehash.h
+++ b/src/include/lib/simplehash.h
@@ -1078,6 +1078,10 @@ SH_STAT(SH_TYPE * tb)
uint32 i;
uint32 *collisions = (uint32 *) palloc0(tb->size *
sizeof(uint32));
+#ifdef FRONTEND
+ if (unlikely(collisions == NULL))
+ pg_fatal("out of memory");
+#endif
uint32 total_collisions = 0;
uint32 max_collisions = 0;
double avg_collisions;
