Postgres Pro
Downloads
Home   >   mailing lists

pgsql: Fix two errors with nested CASE/WHEN constructs. - Mailing list pgsql-committers

From Tom Lane
Subject pgsql: Fix two errors with nested CASE/WHEN constructs.
Date
Msg-id E1bWlcz-0007FC-6G@gemulon.postgresql.org
Whole thread Raw
List pgsql-committers
Tree view 
Fix two errors with nested CASE/WHEN constructs.

ExecEvalCase() tried to save a cycle or two by passing
&econtext->caseValue_isNull as the isNull argument to its sub-evaluation of
the CASE value expression.  If that subexpression itself contained a CASE,
then *isNull was an alias for econtext->caseValue_isNull within the
recursive call of ExecEvalCase(), leading to confusion about whether the
inner call's caseValue was null or not.  In the worst case this could lead
to a core dump due to dereferencing a null pointer.  Fix by not assigning
to the global variable until control comes back from the subexpression.
Also, avoid using the passed-in isNull pointer transiently for evaluation
of WHEN expressions.  (Either one of these changes would have been
sufficient to fix the known misbehavior, but it's clear now that each of
these choices was in itself dangerous coding practice and best avoided.
There do not seem to be any similar hazards elsewhere in execQual.c.)

Also, it was possible for inlining of a SQL function that implements the
equality operator used for a CASE comparison to result in one CASE
expression's CaseTestExpr node being inserted inside another CASE
expression.  This would certainly result in wrong answers since the
improperly nested CaseTestExpr would be caused to return the inner CASE's
comparison value not the outer's.  If the CASE values were of different
data types, a crash might result; moreover such situations could be abused
to allow disclosure of portions of server memory.  To fix, teach
inline_function to check for "bare" CaseTestExpr nodes in the arguments of
a function to be inlined, and avoid inlining if there are any.

Heikki Linnakangas, Michael Paquier, Tom Lane

Report: https://github.com/greenplum-db/gpdb/pull/327
Report: <4DDCEEB8.50602@enterprisedb.com>
Security: CVE-2016-5423

Branch
------
master

Details
-------
http://git.postgresql.org/pg/commitdiff/f0c7b789ab12fbc8248b671c7882dd96ac932ef4

Modified Files
--------------
src/backend/executor/execQual.c      | 22 +++++++---
src/backend/optimizer/util/clauses.c | 81 ++++++++++++++++++++++++++++++++++++
src/test/regress/expected/case.out   | 44 ++++++++++++++++++++
src/test/regress/sql/case.sql        | 43 +++++++++++++++++++
4 files changed, 185 insertions(+), 5 deletions(-)

pgsql-committers by date:

Previous
From: Noah Misch
Date:
Subject: pgsql: Field conninfo strings throughout src/bin/scripts.
Next
From: Tom Lane
Date:
Subject: pgsql: Last-minute updates for release notes.