Postgres Pro
Downloads
Home   >   mailing lists

Thread: BUG #18910: DEREF_OF_NULL.RET Pointer, returned from function 'palloc0' at simplehash.h:1080, may be NULL

BUG #18910: DEREF_OF_NULL.RET Pointer, returned from function 'palloc0' at simplehash.h:1080, may be NULL

From
PG Bug reporting form
Date:
The following bug has been logged on the website:

Bug reference:      18910
Logged by:          Eugeny Goryachev
Email address:      gorcom2012@gmail.com
PostgreSQL version: 17.4
Operating system:   Ubuntu
Description:

DEREF_OF_NULL.RET - Pointer returned from function 'palloc0' at
simplehash.h:1080 may be NULL and is dereferenced at simplehash.h:1105.
Issue Description:
In the file /src/include/lib/simplehash.h, within the SH_STAT() function,
there is a call to palloc0() that may return NULL:
uint32 *collisions = (uint32 *) palloc0(tb->size * sizeof(uint32));
Subsequently, the pointer is dereferenced:
collisions[optimal]++;
If collisions == NULL, this would cause a segmentation fault.
    Server-side: No issue exists since the server version of palloc never
returns NULL (throws an error instead).
    Client utilities: simplehash is used in tools like pg_dump,
pg_verifybackup, and pg_rewind, which use the frontend version of palloc
(from libpgcommon). The frontend variant can return NULL on memory
allocation failure.
Solution:
A NULL check should be added when the FRONTEND macro is defined.
diff --git a/src/include/lib/simplehash.h b/src/include/lib/simplehash.h
index 3e1b1f94616..c4a1419a202 100644
--- a/src/include/lib/simplehash.h
+++ b/src/include/lib/simplehash.h
@@ -1078,6 +1078,10 @@ SH_STAT(SH_TYPE * tb)
        uint32          i;
        uint32     *collisions = (uint32 *) palloc0(tb->size *
sizeof(uint32));
+#ifdef FRONTEND
+       if (unlikely(collisions == NULL))
+       pg_fatal("out of memory");
+#endif
        uint32          total_collisions = 0;
        uint32          max_collisions = 0;
        double          avg_collisions;

Re: BUG #18910: DEREF_OF_NULL.RET Pointer, returned from function 'palloc0' at simplehash.h:1080, may be NULL

From
Tom Lane
Date:
PG Bug reporting form <noreply@postgresql.org> writes:
> In the file /src/include/lib/simplehash.h, within the SH_STAT() function,
> there is a call to palloc0() that may return NULL:
> uint32 *collisions = (uint32 *) palloc0(tb->size * sizeof(uint32));

palloc and its variants do not return NULL, unless you specify
MCXT_ALLOC_NO_OOM, which this call does not.

            regards, tom lane