Request a Demo
Home   >   mailing lists

BUG #19016: Re: BUG #18908: DEREF_OF_NULL: After having been assigned to a NULL value at descriptor.c:203 - Mailing list pgsql-bugs

From PG Bug reporting form
Subject BUG #19016: Re: BUG #18908: DEREF_OF_NULL: After having been assigned to a NULL value at descriptor.c:203
Date
Msg-id 19016-0711e547eb0c3a20@postgresql.org
Whole thread Raw
List pgsql-bugs
Tree view 
The following bug has been logged on the website:

Bug reference:      19016
Logged by:          Eugeny Goryachev
Email address:      gorcom2012@gmail.com
PostgreSQL version: 17.4
Operating system:   Ubuntu
Description:

Hello,
This is regarding bug report BUG #18908.
I have reviewed this block of code and concluded that it does not require
any fixes. This is a false positive from the static analyzer.
In the output_get_descr() function, there is a call:
```
ECPGdump_a_type(base_yyout, v->name, v->type, v->brace_level,
NULL, NULL, -1, NULL, NULL, str_zero, NULL, NULL);
```
where the 5th parameter is passed as NULL.
Then, in the ECPGdump_a_type() function, this 5th parameter is defined as
ind_name and is passed as the 3rd parameter to:
```
ECPGdump_a_struct(o, name, ind_name, str_one, type, ind_type, prefix,
ind_prefix);
```
In ECPGdump_a_struct(), there is a dereference of the ind_name pointer:
```
char *ind_pbuf = (char *) mm_alloc(strlen(ind_name) + ((ind_prefix == NULL)
? 0 : strlen(ind_prefix)) + 3);
```
Here, if ind_name == NULL, calling strlen(ind_name) would cause a process
crash (segmentation fault).
To demonstrate that this can never happen and that the analyzer is mistaken,
let’s look at the condition under which ECPGdump_a_struct() is called from
ECPGdump_a_type():
```
switch (type->type)
{
    case ECPGt_struct:
```
That is, only if the processed variable is of type struct.
However, output_get_descr() never processes structs — it only works with
descriptors.
The field type->type (which is v->type) comes from:
```
const struct variable *v = find_variable(results->variable);
```
But in output_get_descr(), we process descriptor fields (SQLDA), and
results->value is one of the descriptor’s fields.
All these fields are primitive types, not structs:
```
/* descriptor items */
enum ECPGdtype
{
    ECPGd_count = 1,
    ECPGd_data,
    ECPGd_di_code,
    ECPGd_di_precision,
    ECPGd_indicator,
    ECPGd_key_member,
    ECPGd_length,
    ECPGd_name,
    ECPGd_nullable,
    ECPGd_octet,
    ECPGd_precision,
    ECPGd_ret_length,
    ECPGd_ret_octet,
    ECPGd_scale,
    ECPGd_type,
    ECPGd_EODT, /* End of descriptor types. */
    ECPGd_cardinality
};
```
Therefore, ECPGdump_a_struct() will never be called from output_get_descr()
because:
    v->type->type will never be ECPGt_struct in this context;
    results->value refers to descriptor fields, not C structs.
Consequently, a call to strlen(ind_name) with ind_name == NULL is
unreachable.

Best regards, Eugeny Goryachev

pgsql-bugs by date:

Previous
From: Алена Васильева
Date:
Subject: Re: BUG #18908: DEREF_OF_NULL: After having been assigned to a NULL value at descriptor.c:203
Next
From: Masahiko Sawada
Date:
Subject: Re: TRAP: failed Assert("outerPlan != NULL") in postgres_fdw.c