Thread: BUG #6044: Access violation on XML decl with standalone

BUG #6044: Access violation on XML decl with standalone

From
"Christopher Dillard"
Date:
The following bug has been logged online:

Bug reference:      6044
Logged by:          Christopher Dillard
Email address:      csdillard@gmail.com
PostgreSQL version: 8.4.8
Operating system:   Windows
Description:        Access violation on XML decl with standalone
Details:

Hello,

In PostgreSQL 8.4.8, the function "xml_recv" (in
src/backend/utils/adt/xml.c) calls the function "parse_xml_decl", passing
NULL for the final "standalone" parameter.  However, "parse_xml_decl" does
not check for standalone==NULL, and blindly sets "*standalone = 0".  This
causes a crash if the xml declaration actually has a standalone parmeter,
e.g. '<?xml version="1.0" standalone="no"?><anything/>'.

I wish I could provide a SQL test case, but I only found this by setting a
breakpoint on the 0xC0000005 exception in Visual Studio.  (And it was
closed-source third party software that was interacting with PostgreSQL when
the crash occurred, so I can't attack it from that angle.)

I speculate that the source code in question has something to do with
binding XML parameters to prepared statements or function arguments, but
since that's the first time I'd looked at the PostgreSQL source code, I
couldn't say anything for sure.

Am I interpreting this right?  Can someone more knowledgeable provide a SQL
test case?

Thanks!

Re: BUG #6044: Access violation on XML decl with standalone

From
Tom Lane
Date:
"Christopher Dillard" <csdillard@gmail.com> writes:
> In PostgreSQL 8.4.8, the function "xml_recv" (in
> src/backend/utils/adt/xml.c) calls the function "parse_xml_decl", passing
> NULL for the final "standalone" parameter.  However, "parse_xml_decl" does
> not check for standalone==NULL, and blindly sets "*standalone = 0".  This
> causes a crash if the xml declaration actually has a standalone parmeter,
> e.g. '<?xml version="1.0" standalone="no"?><anything/>'.

Ugh, you're right.

> I wish I could provide a SQL test case, but I only found this by setting a
> breakpoint on the 0xC0000005 exception in Visual Studio.

AFAIK there isn't any way to exercise the receive functions via psql.
You need a client that will send data as binary parameters.  But it's
obvious by inspection of the code that it's broken.  Will fix, thanks
for the report!

            regards, tom lane