Kris Jurka <books@ejurka.com> writes:
> On Sat, 13 Oct 2007, Jeremy Palmer wrote:
>> The following query crashes the backend:
>>
>> SELECT xpath('/my:a/text()', '<my:a
>> xmlns:my="http://example.com">test</my:a>');
>>
> This patch avoids the double free of xpathcomp and fixes things for me.
Hmm, I wonder why that doesn't crash here? It certainly looks pretty
broken --- maybe some versions of libxml have internal defenses against
this.
Patch applied, and I also cleaned up some other places where an error
escape might possibly lead to double free. (The other ones are probably
not real risks, since libxml presumably doesn't elog, but we might as
well try to make the code bulletproof in case more PG-aware code gets
inserted in these paths.)
regards, tom lane
