Re: BUG #18943: Return value of a function 'xmlBufferCreate' isdereferenced at xpath.c:177 without checking for NUL

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Michael Paquier <[email protected]>
To: Alexander Lakhin <[email protected]>
Cc: cca5507 <[email protected]>
Cc: Jim Jones <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: pgsql-bugs <[email protected]>
Cc: maralist86 <[email protected]>
Subject: Re: BUG #18943: Return value of a function 'xmlBufferCreate' isdereferenced at xpath.c:177 without checking for NUL
Date: Thu, 12 Mar 2026 15:46:57 +0900
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

On Thu, Mar 12, 2026 at 07:00:00AM +0200, Alexander Lakhin wrote:
> Hello Michael,
> 
> Maybe you would like to fix in passing one more anomaly there:
> create extension xml2;
> select xslt_process('<aaa/>','<xsl:stylesheet version="1.0"
> xmlns:xsl="http://www.w3.org/1999/XSL/Transform"></xsl:stylesheet>';);
> 
> leads to:
> varlena.c:199:2: runtime error: null pointer passed as argument 2, which is declared to never be null
>     #0 0x640756666936 in cstring_to_text_with_len .../src/backend/utils/adt/varlena.c:199
>     #1 0x7e46c0f4805e in xslt_process .../contrib/xml2/xslt_proc.c:149
>     #2 0x640755a3ecbf in ExecInterpExpr .../src/backend/executor/execExprInterp.c:1001
>     #3 0x640755a277aa in ExecInterpExprStillValid .../src/backend/executor/execExprInterp.c:2299
>     #4 0x640755ef11e0 in ExecEvalExprSwitchContext ../../../../src/include/executor/executor.h:444
>     #5 0x640755efd7b6 in evaluate_expr .../src/backend/optimizer/util/clauses.c:5724
> 
> for a build made with -fsanitize=undefined.

Indeed, I can reproduce it locally.  This one is a super old
inconsistency, from what I can see.  This predates the introduction to
xml2 in contrib and even the use of cstring_to_text_with_len().  We've
never thought that xsltSaveResultToString() could return a NULL
xmlChar with a valid status code and a length of 0.  Back in the
day, before cstring_to_text_with_len(), that would be a memcpy with a
NULL pointer.

I am not sure if this is worth backpatching, so let's just use
something like the attached on HEAD.  This result cannot be NULL,
historically it has always been an empty string.

Opinions?
--
Michael

From 6eb8518de5c3d767bb6b58426bb04b2173166f2c Mon Sep 17 00:00:00 2001
From: Michael Paquier <[email protected]>
Date: Thu, 12 Mar 2026 15:43:45 +0900
Subject: [PATCH] xml2: Fix undeterministic result with xslt_process()

---
 contrib/xml2/expected/xml2.out   | 10 ++++++++++
 contrib/xml2/expected/xml2_1.out |  6 ++++++
 contrib/xml2/sql/xml2.sql        |  6 ++++++
 contrib/xml2/xslt_proc.c         |  8 +++++++-
 4 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/contrib/xml2/expected/xml2.out b/contrib/xml2/expected/xml2.out
index 3d97b14c3a1e..1906fcf33e2a 100644
--- a/contrib/xml2/expected/xml2.out
+++ b/contrib/xml2/expected/xml2.out
@@ -261,3 +261,13 @@ $$<xsl:stylesheet version="1.0"
   </xsl:template>
 </xsl:stylesheet>$$);
 ERROR:  failed to apply stylesheet
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+      xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
+</xsl:stylesheet>$$);
+ xslt_process 
+--------------
+ 
+(1 row)
+
diff --git a/contrib/xml2/expected/xml2_1.out b/contrib/xml2/expected/xml2_1.out
index 31700040a604..9a2144d58f57 100644
--- a/contrib/xml2/expected/xml2_1.out
+++ b/contrib/xml2/expected/xml2_1.out
@@ -205,3 +205,9 @@ $$<xsl:stylesheet version="1.0"
   </xsl:template>
 </xsl:stylesheet>$$);
 ERROR:  xslt_process() is not available without libxslt
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+      xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
+</xsl:stylesheet>$$);
+ERROR:  xslt_process() is not available without libxslt
diff --git a/contrib/xml2/sql/xml2.sql b/contrib/xml2/sql/xml2.sql
index ef99d164f272..510d18a36799 100644
--- a/contrib/xml2/sql/xml2.sql
+++ b/contrib/xml2/sql/xml2.sql
@@ -153,3 +153,9 @@ $$<xsl:stylesheet version="1.0"
     </sax:output>
   </xsl:template>
 </xsl:stylesheet>$$);
+
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+      xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
+</xsl:stylesheet>$$);
diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
index 2be87bec0cdf..23e5509b99ad 100644
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@@ -145,7 +145,13 @@ xslt_process(PG_FUNCTION_ARGS)
 		resstat = xsltSaveResultToString((xmlChar **) &resstr, &reslen,
 										 restree, stylesheet);
 
-		if (resstat >= 0)
+		/*
+		 * If an empty string has been returned, resstr would be NULL.
+		 * In this case, assume that the result is an empty string.
+		 */
+		if (reslen == 0)
+			result = cstring_to_text_with_len("", reslen);
+		else if (resstat >= 0)
 			result = cstring_to_text_with_len((char *) resstr, reslen);
 	}
 	PG_CATCH();
-- 
2.53.0



Attachments:

  [text/plain] 0001-xml2-Fix-undeterministic-result-with-xslt_process.patch (2.6K, 2-0001-xml2-Fix-undeterministic-result-with-xslt_process.patch)
  download | inline diff:
From 6eb8518de5c3d767bb6b58426bb04b2173166f2c Mon Sep 17 00:00:00 2001
From: Michael Paquier <[email protected]>
Date: Thu, 12 Mar 2026 15:43:45 +0900
Subject: [PATCH] xml2: Fix undeterministic result with xslt_process()

---
 contrib/xml2/expected/xml2.out   | 10 ++++++++++
 contrib/xml2/expected/xml2_1.out |  6 ++++++
 contrib/xml2/sql/xml2.sql        |  6 ++++++
 contrib/xml2/xslt_proc.c         |  8 +++++++-
 4 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/contrib/xml2/expected/xml2.out b/contrib/xml2/expected/xml2.out
index 3d97b14c3a1e..1906fcf33e2a 100644
--- a/contrib/xml2/expected/xml2.out
+++ b/contrib/xml2/expected/xml2.out
@@ -261,3 +261,13 @@ $$<xsl:stylesheet version="1.0"
   </xsl:template>
 </xsl:stylesheet>$$);
 ERROR:  failed to apply stylesheet
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+      xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+</xsl:stylesheet>$$);
+ xslt_process 
+--------------
+ 
+(1 row)
+
diff --git a/contrib/xml2/expected/xml2_1.out b/contrib/xml2/expected/xml2_1.out
index 31700040a604..9a2144d58f57 100644
--- a/contrib/xml2/expected/xml2_1.out
+++ b/contrib/xml2/expected/xml2_1.out
@@ -205,3 +205,9 @@ $$<xsl:stylesheet version="1.0"
   </xsl:template>
 </xsl:stylesheet>$$);
 ERROR:  xslt_process() is not available without libxslt
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+      xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+</xsl:stylesheet>$$);
+ERROR:  xslt_process() is not available without libxslt
diff --git a/contrib/xml2/sql/xml2.sql b/contrib/xml2/sql/xml2.sql
index ef99d164f272..510d18a36799 100644
--- a/contrib/xml2/sql/xml2.sql
+++ b/contrib/xml2/sql/xml2.sql
@@ -153,3 +153,9 @@ $$<xsl:stylesheet version="1.0"
     </sax:output>
   </xsl:template>
 </xsl:stylesheet>$$);
+
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+      xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+</xsl:stylesheet>$$);
diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
index 2be87bec0cdf..23e5509b99ad 100644
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@@ -145,7 +145,13 @@ xslt_process(PG_FUNCTION_ARGS)
 		resstat = xsltSaveResultToString((xmlChar **) &resstr, &reslen,
 										 restree, stylesheet);
 
-		if (resstat >= 0)
+		/*
+		 * If an empty string has been returned, resstr would be NULL.
+		 * In this case, assume that the result is an empty string.
+		 */
+		if (reslen == 0)
+			result = cstring_to_text_with_len("", reslen);
+		else if (resstat >= 0)
 			result = cstring_to_text_with_len((char *) resstr, reslen);
 	}
 	PG_CATCH();
-- 
2.53.0



  [application/pgp-signature] signature.asc (833B, 3-signature.asc)
  download

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: BUG #18943: Return value of a function 'xmlBufferCreate' isdereferenced at xpath.c:177 without checking for NUL
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox