Thread: use-after-free in psql

use-after-free in psql

From
Neil Conway
Date:
There's a minor bug in the ON_ERROR_ROLLBACK code in psql. In HEAD, at
line 878 the storage pointed to by "results" is released by a PQclear(),
but is referenced by the PQcmdStatus() calls on lines 898, 899, and 900.

I'm busy at the moment -- if someone wants to fix this (backport to 8.1
please!), have at it. Otherwise I'll fix it this weekend.

-Neil

Re: use-after-free in psql

From
Greg Sabino Mullane
Date:
> There's a minor bug in the ON_ERROR_ROLLBACK code in psql. In
> HEAD, at line 878 the storage pointed to by "results" is
> released by a PQclear(), but is referenced by the
> PQcmdStatus() calls on lines 898, 899, and 900.
>
> I'm busy at the moment -- if someone wants to fix this
> (backport to 8.1 please!), have at it.

Attached is a quick patch for HEAD and 8.1, which should do the job.
Thanks for finding this.

--
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200606301039
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8


Attachment

Re: use-after-free in psql

From
Alvaro Herrera
Date:
Neil Conway wrote:
> There's a minor bug in the ON_ERROR_ROLLBACK code in psql. In HEAD, at
> line 878 the storage pointed to by "results" is released by a PQclear(),
> but is referenced by the PQcmdStatus() calls on lines 898, 899, and 900.

I think this is the fix for HEAD.  I'll apply after testing it a bit
more.

--
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

Attachment