public inbox for [email protected]
help / color / mirror / Atom feedFrom: =?koi8-r?B?58HMy8nOIPPF0sfFyg==?= <[email protected]>
To: [email protected] <[email protected]>
Subject: DEREF_AFTER_NULL: src/common/jsonapi.c:2529
Date: Mon, 6 Apr 2026 08:09:46 +0000
Message-ID: <[email protected]> (raw)
Hello, a static analyzer pointed out a possible NULL dereference at the end of json_errdetail() (src/common/jsonapi.c):
return lex->errormsg->data;
That seemed plausible to me, since there is a comment just above saying that lex->errormsg can be NULL in shlib code. I also checked PQExpBufferBroken(), and it does handle NULL, but that call is under #ifdef, while the final access to lex->errormsg->data is unconditional.
I may be missing some invariant here, but it seems worth adding an explicit NULL check. I prepared a corresponding patch and am attaching it below in case you agree that this is a real issue.
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 1145d93945f..192040b5443 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -2525,6 +2525,9 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
if (PQExpBufferBroken(lex->errormsg))
return _("out of memory while constructing error description");
#endif
+
+ if (!lex->errormsg)
+ return _("out of memory while constructing error description");
return lex->errormsg->data;
}
Best regards, Galkin Sergey
Attachments:
[text/x-patch] 0001-Added-an-additional-check-when-dereferencing-a-point.patch (769B, 3-0001-Added-an-additional-check-when-dereferencing-a-point.patch)
download | inline diff:
From eefe51e74a89e05a21a0718cbf007a5add45dfc6 Mon Sep 17 00:00:00 2001
From: Sergey <[email protected]>
Date: Fri, 3 Apr 2026 19:54:18 +0300
Subject: [PATCH] Added an additional check when dereferencing a pointer
---
src/common/jsonapi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 1145d93945f..192040b5443 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -2525,6 +2525,9 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
if (PQExpBufferBroken(lex->errormsg))
return _("out of memory while constructing error description");
#endif
+
+ if (!lex->errormsg)
+ return _("out of memory while constructing error description");
return lex->errormsg->data;
}
--
2.43.0
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: DEREF_AFTER_NULL: src/common/jsonapi.c:2529
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox