public inbox for [email protected]
help / color / mirror / Atom feedRe: BUG #18943: Return value of a function 'xmlBufferCreate' isdereferenced at xpath.c:177 without checking for NUL
4+ messages / 2 participants
[nested] [flat]
* Re: BUG #18943: Return value of a function 'xmlBufferCreate' isdereferenced at xpath.c:177 without checking for NUL
@ 2026-03-09 22:10 Michael Paquier <[email protected]>
0 siblings, 1 reply; 4+ messages in thread
From: Michael Paquier @ 2026-03-09 22:10 UTC (permalink / raw)
To: cca5507 <[email protected]>; +Cc: Jim Jones <[email protected]>; Tom Lane <[email protected]>; pgsql-bugs <[email protected]>; maralist86 <[email protected]>
On Mon, Mar 09, 2026 at 04:31:37PM +0900, Michael Paquier wrote:
> You are right, this needs to consider the pointer variable as
> volatile, as done in your patch, and not treat as volatile what is
> pointed at. This comes from 2e947217474c, as of HEAD. I'll take care
> of it later. The same business has been fixed in xml2 as of
> 93001888d85c.
Fixed as of 6307b096e259.
--
Michael
Attachments:
[application/pgp-signature] signature.asc (833B, 2-signature.asc)
download
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: BUG #18943: Return value of a function 'xmlBufferCreate' isdereferenced at xpath.c:177 without checking for NUL
@ 2026-03-12 05:00 Alexander Lakhin <[email protected]>
parent: Michael Paquier <[email protected]>
0 siblings, 1 reply; 4+ messages in thread
From: Alexander Lakhin @ 2026-03-12 05:00 UTC (permalink / raw)
To: Michael Paquier <[email protected]>; cca5507 <[email protected]>; +Cc: Jim Jones <[email protected]>; Tom Lane <[email protected]>; pgsql-bugs <[email protected]>; maralist86 <[email protected]>
Hello Michael,
Maybe you would like to fix in passing one more anomaly there:
create extension xml2;
select xslt_process('<aaa/>','<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"></xsl:stylesheet>';);
leads to:
varlena.c:199:2: runtime error: null pointer passed as argument 2, which is declared to never be null
#0 0x640756666936 in cstring_to_text_with_len .../src/backend/utils/adt/varlena.c:199
#1 0x7e46c0f4805e in xslt_process .../contrib/xml2/xslt_proc.c:149
#2 0x640755a3ecbf in ExecInterpExpr .../src/backend/executor/execExprInterp.c:1001
#3 0x640755a277aa in ExecInterpExprStillValid .../src/backend/executor/execExprInterp.c:2299
#4 0x640755ef11e0 in ExecEvalExprSwitchContext ../../../../src/include/executor/executor.h:444
#5 0x640755efd7b6 in evaluate_expr .../src/backend/optimizer/util/clauses.c:5724
for a build made with -fsanitize=undefined.
Best regards,
Alexander
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: BUG #18943: Return value of a function 'xmlBufferCreate' isdereferenced at xpath.c:177 without checking for NUL
@ 2026-03-12 06:46 Michael Paquier <[email protected]>
parent: Alexander Lakhin <[email protected]>
0 siblings, 1 reply; 4+ messages in thread
From: Michael Paquier @ 2026-03-12 06:46 UTC (permalink / raw)
To: Alexander Lakhin <[email protected]>; +Cc: cca5507 <[email protected]>; Jim Jones <[email protected]>; Tom Lane <[email protected]>; pgsql-bugs <[email protected]>; maralist86 <[email protected]>
On Thu, Mar 12, 2026 at 07:00:00AM +0200, Alexander Lakhin wrote:
> Hello Michael,
>
> Maybe you would like to fix in passing one more anomaly there:
> create extension xml2;
> select xslt_process('<aaa/>','<xsl:stylesheet version="1.0"
> xmlns:xsl="http://www.w3.org/1999/XSL/Transform"></xsl:stylesheet>';);
>
> leads to:
> varlena.c:199:2: runtime error: null pointer passed as argument 2, which is declared to never be null
> #0 0x640756666936 in cstring_to_text_with_len .../src/backend/utils/adt/varlena.c:199
> #1 0x7e46c0f4805e in xslt_process .../contrib/xml2/xslt_proc.c:149
> #2 0x640755a3ecbf in ExecInterpExpr .../src/backend/executor/execExprInterp.c:1001
> #3 0x640755a277aa in ExecInterpExprStillValid .../src/backend/executor/execExprInterp.c:2299
> #4 0x640755ef11e0 in ExecEvalExprSwitchContext ../../../../src/include/executor/executor.h:444
> #5 0x640755efd7b6 in evaluate_expr .../src/backend/optimizer/util/clauses.c:5724
>
> for a build made with -fsanitize=undefined.
Indeed, I can reproduce it locally. This one is a super old
inconsistency, from what I can see. This predates the introduction to
xml2 in contrib and even the use of cstring_to_text_with_len(). We've
never thought that xsltSaveResultToString() could return a NULL
xmlChar with a valid status code and a length of 0. Back in the
day, before cstring_to_text_with_len(), that would be a memcpy with a
NULL pointer.
I am not sure if this is worth backpatching, so let's just use
something like the attached on HEAD. This result cannot be NULL,
historically it has always been an empty string.
Opinions?
--
Michael
From 6eb8518de5c3d767bb6b58426bb04b2173166f2c Mon Sep 17 00:00:00 2001
From: Michael Paquier <[email protected]>
Date: Thu, 12 Mar 2026 15:43:45 +0900
Subject: [PATCH] xml2: Fix undeterministic result with xslt_process()
---
contrib/xml2/expected/xml2.out | 10 ++++++++++
contrib/xml2/expected/xml2_1.out | 6 ++++++
contrib/xml2/sql/xml2.sql | 6 ++++++
contrib/xml2/xslt_proc.c | 8 +++++++-
4 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/contrib/xml2/expected/xml2.out b/contrib/xml2/expected/xml2.out
index 3d97b14c3a1e..1906fcf33e2a 100644
--- a/contrib/xml2/expected/xml2.out
+++ b/contrib/xml2/expected/xml2.out
@@ -261,3 +261,13 @@ $$<xsl:stylesheet version="1.0"
</xsl:template>
</xsl:stylesheet>$$);
ERROR: failed to apply stylesheet
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
+</xsl:stylesheet>$$);
+ xslt_process
+--------------
+
+(1 row)
+
diff --git a/contrib/xml2/expected/xml2_1.out b/contrib/xml2/expected/xml2_1.out
index 31700040a604..9a2144d58f57 100644
--- a/contrib/xml2/expected/xml2_1.out
+++ b/contrib/xml2/expected/xml2_1.out
@@ -205,3 +205,9 @@ $$<xsl:stylesheet version="1.0"
</xsl:template>
</xsl:stylesheet>$$);
ERROR: xslt_process() is not available without libxslt
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
+</xsl:stylesheet>$$);
+ERROR: xslt_process() is not available without libxslt
diff --git a/contrib/xml2/sql/xml2.sql b/contrib/xml2/sql/xml2.sql
index ef99d164f272..510d18a36799 100644
--- a/contrib/xml2/sql/xml2.sql
+++ b/contrib/xml2/sql/xml2.sql
@@ -153,3 +153,9 @@ $$<xsl:stylesheet version="1.0"
</sax:output>
</xsl:template>
</xsl:stylesheet>$$);
+
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
+</xsl:stylesheet>$$);
diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
index 2be87bec0cdf..23e5509b99ad 100644
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@@ -145,7 +145,13 @@ xslt_process(PG_FUNCTION_ARGS)
resstat = xsltSaveResultToString((xmlChar **) &resstr, &reslen,
restree, stylesheet);
- if (resstat >= 0)
+ /*
+ * If an empty string has been returned, resstr would be NULL.
+ * In this case, assume that the result is an empty string.
+ */
+ if (reslen == 0)
+ result = cstring_to_text_with_len("", reslen);
+ else if (resstat >= 0)
result = cstring_to_text_with_len((char *) resstr, reslen);
}
PG_CATCH();
--
2.53.0
Attachments:
[text/plain] 0001-xml2-Fix-undeterministic-result-with-xslt_process.patch (2.6K, 2-0001-xml2-Fix-undeterministic-result-with-xslt_process.patch)
download | inline diff:
From 6eb8518de5c3d767bb6b58426bb04b2173166f2c Mon Sep 17 00:00:00 2001
From: Michael Paquier <[email protected]>
Date: Thu, 12 Mar 2026 15:43:45 +0900
Subject: [PATCH] xml2: Fix undeterministic result with xslt_process()
---
contrib/xml2/expected/xml2.out | 10 ++++++++++
contrib/xml2/expected/xml2_1.out | 6 ++++++
contrib/xml2/sql/xml2.sql | 6 ++++++
contrib/xml2/xslt_proc.c | 8 +++++++-
4 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/contrib/xml2/expected/xml2.out b/contrib/xml2/expected/xml2.out
index 3d97b14c3a1e..1906fcf33e2a 100644
--- a/contrib/xml2/expected/xml2.out
+++ b/contrib/xml2/expected/xml2.out
@@ -261,3 +261,13 @@ $$<xsl:stylesheet version="1.0"
</xsl:template>
</xsl:stylesheet>$$);
ERROR: failed to apply stylesheet
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+</xsl:stylesheet>$$);
+ xslt_process
+--------------
+
+(1 row)
+
diff --git a/contrib/xml2/expected/xml2_1.out b/contrib/xml2/expected/xml2_1.out
index 31700040a604..9a2144d58f57 100644
--- a/contrib/xml2/expected/xml2_1.out
+++ b/contrib/xml2/expected/xml2_1.out
@@ -205,3 +205,9 @@ $$<xsl:stylesheet version="1.0"
</xsl:template>
</xsl:stylesheet>$$);
ERROR: xslt_process() is not available without libxslt
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+</xsl:stylesheet>$$);
+ERROR: xslt_process() is not available without libxslt
diff --git a/contrib/xml2/sql/xml2.sql b/contrib/xml2/sql/xml2.sql
index ef99d164f272..510d18a36799 100644
--- a/contrib/xml2/sql/xml2.sql
+++ b/contrib/xml2/sql/xml2.sql
@@ -153,3 +153,9 @@ $$<xsl:stylesheet version="1.0"
</sax:output>
</xsl:template>
</xsl:stylesheet>$$);
+
+-- empty output
+select xslt_process('<aaa/>',
+$$<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+</xsl:stylesheet>$$);
diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
index 2be87bec0cdf..23e5509b99ad 100644
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@@ -145,7 +145,13 @@ xslt_process(PG_FUNCTION_ARGS)
resstat = xsltSaveResultToString((xmlChar **) &resstr, &reslen,
restree, stylesheet);
- if (resstat >= 0)
+ /*
+ * If an empty string has been returned, resstr would be NULL.
+ * In this case, assume that the result is an empty string.
+ */
+ if (reslen == 0)
+ result = cstring_to_text_with_len("", reslen);
+ else if (resstat >= 0)
result = cstring_to_text_with_len((char *) resstr, reslen);
}
PG_CATCH();
--
2.53.0
[application/pgp-signature] signature.asc (833B, 3-signature.asc)
download
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: BUG #18943: Return value of a function 'xmlBufferCreate' isdereferenced at xpath.c:177 without checking for NUL
@ 2026-03-13 07:12 Michael Paquier <[email protected]>
parent: Michael Paquier <[email protected]>
0 siblings, 0 replies; 4+ messages in thread
From: Michael Paquier @ 2026-03-13 07:12 UTC (permalink / raw)
To: Alexander Lakhin <[email protected]>; +Cc: cca5507 <[email protected]>; Jim Jones <[email protected]>; Tom Lane <[email protected]>; pgsql-bugs <[email protected]>; maralist86 <[email protected]>
On Thu, Mar 12, 2026 at 03:46:57PM +0900, Michael Paquier wrote:
> I am not sure if this is worth backpatching, so let's just use
> something like the attached on HEAD. This result cannot be NULL,
> historically it has always been an empty string.
Looking at the history of the tree, things like 46ab07ffda9d were
mentioned as worth a backpatch, so applied down to v14 for this one as
well.
--
Michael
Attachments:
[application/pgp-signature] signature.asc (833B, 2-signature.asc)
download
^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2026-03-13 07:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-03-09 22:10 Re: BUG #18943: Return value of a function 'xmlBufferCreate' isdereferenced at xpath.c:177 without checking for NUL Michael Paquier <[email protected]>
2026-03-12 05:00 ` Alexander Lakhin <[email protected]>
2026-03-12 06:46 ` Michael Paquier <[email protected]>
2026-03-13 07:12 ` Michael Paquier <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox