DEREF_AFTER_NULL: src/common/jsonapi.c:2529

public inbox for [email protected]  
help / color / mirror / Atom feed

DEREF_AFTER_NULL: src/common/jsonapi.c:2529
2+ messages / 2 participants
[nested] [flat]

* DEREF_AFTER_NULL: src/common/jsonapi.c:2529
@ 2026-04-06 08:09 =?koi8-r?B?58HMy8nOIPPF0sfFyg==?= <[email protected]>
  2026-04-06 08:40 ` Re: DEREF_AFTER_NULL: src/common/jsonapi.c:2529 Ashesh Vashi <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: =?koi8-r?B?58HMy8nOIPPF0sfFyg==?= @ 2026-04-06 08:09 UTC (permalink / raw)
  To: [email protected] <[email protected]>

Hello, a static analyzer pointed out a possible NULL dereference at the end of json_errdetail() (src/common/jsonapi.c):

return lex->errormsg->data;

That seemed plausible to me, since there is a comment just above saying that lex->errormsg can be NULL in shlib code. I also checked PQExpBufferBroken(), and it does handle NULL, but that call is under #ifdef, while the final access to lex->errormsg->data is unconditional.

I may be missing some invariant here, but it seems worth adding an explicit NULL check. I prepared a corresponding patch and am attaching it below in case you agree that this is a real issue.

diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 1145d93945f..192040b5443 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -2525,6 +2525,9 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
     if (PQExpBufferBroken(lex->errormsg))
         return _("out of memory while constructing error description");
 #endif
+
+    if (!lex->errormsg)
+        return _("out of memory while constructing error description");

     return lex->errormsg->data;
 }

Best regards, Galkin Sergey


Attachments:

  [text/x-patch] 0001-Added-an-additional-check-when-dereferencing-a-point.patch (769B, 3-0001-Added-an-additional-check-when-dereferencing-a-point.patch)
  download | inline diff:
From eefe51e74a89e05a21a0718cbf007a5add45dfc6 Mon Sep 17 00:00:00 2001
From: Sergey <[email protected]>
Date: Fri, 3 Apr 2026 19:54:18 +0300
Subject: [PATCH] Added an additional check when dereferencing a pointer

---
 src/common/jsonapi.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 1145d93945f..192040b5443 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -2525,6 +2525,9 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
 	if (PQExpBufferBroken(lex->errormsg))
 		return _("out of memory while constructing error description");
 #endif
+	
+	if (!lex->errormsg)
+		return _("out of memory while constructing error description");
 
 	return lex->errormsg->data;
 }
-- 
2.43.0



^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: DEREF_AFTER_NULL: src/common/jsonapi.c:2529
  2026-04-06 08:09 DEREF_AFTER_NULL: src/common/jsonapi.c:2529 =?koi8-r?B?58HMy8nOIPPF0sfFyg==?= <[email protected]>
@ 2026-04-06 08:40 ` Ashesh Vashi <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: Ashesh Vashi @ 2026-04-06 08:40 UTC (permalink / raw)
  To: Галкин Сергей <[email protected]>; +Cc: [email protected] <[email protected]>

This is email chain for pgAdmin hackers (and - not PostgreSQL hackers).
Please share your patch at [email protected] .

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company
<http://www.enterprisedb.com;


*http://www.linkedin.com/in/asheshvashi*
<http://www.linkedin.com/in/asheshvashi;


On Mon, Apr 6, 2026 at 1:40 PM Галкин Сергей <[email protected]> wrote:

> Hello, a static analyzer pointed out a possible NULL dereference at the
> end of json_errdetail() (src/common/jsonapi.c):
>
> return lex->errormsg->data;
>
> That seemed plausible to me, since there is a comment just above saying
> that lex->errormsg can be NULL in shlib code. I also checked
> PQExpBufferBroken(), and it does handle NULL, but that call is under
> #ifdef, while the final access to lex->errormsg->data is unconditional.
>
> I may be missing some invariant here, but it seems worth adding an
> explicit NULL check. I prepared a corresponding patch and am attaching it
> below in case you agree that this is a real issue.
>
> diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
> index 1145d93945f..192040b5443 100644
> --- a/src/common/jsonapi.c
> +++ b/src/common/jsonapi.c
> @@ -2525,6 +2525,9 @@ json_errdetail(JsonParseErrorType error,
> JsonLexContext *lex)
>      if (PQExpBufferBroken(lex->errormsg))
>          return _("out of memory while constructing error description");
>  #endif
> +
> +    if (!lex->errormsg)
> +        return _("out of memory while constructing error description");
>
>      return lex->errormsg->data;
>  }
>
> Best regards, Galkin Sergey
>
>


^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2026-04-06 08:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-04-06 08:09 DEREF_AFTER_NULL: src/common/jsonapi.c:2529 =?koi8-r?B?58HMy8nOIPPF0sfFyg==?= <[email protected]>
2026-04-06 08:40 ` Ashesh Vashi <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox