Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1uNBNR-00DlD1-Ns
	for pgsql-bugs@arkaria.postgresql.org; Thu, 05 Jun 2025 14:15:30 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1uNBNP-009o2X-Qp
	for pgsql-bugs@arkaria.postgresql.org; Thu, 05 Jun 2025 14:15:28 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <jim.jones@uni-muenster.de>)
	id 1uNBNP-009o2P-Iw
	for pgsql-bugs@lists.postgresql.org; Thu, 05 Jun 2025 14:15:28 +0000
Received: from udcm-wwu1.uni-muenster.de ([128.176.118.7])
	by makus.postgresql.org with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jim.jones@uni-muenster.de>)
	id 1uNBNN-000OlR-2G
	for pgsql-bugs@lists.postgresql.org;
	Thu, 05 Jun 2025 14:15:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=uni-muenster.de; i=@uni-muenster.de; q=dns/txt;
  s=uniout; t=1749132926; x=1780668926;
  h=message-id:date:mime-version:subject:from:to:cc:
   references:in-reply-to:content-transfer-encoding;
  bh=Ku0A1mMEuGenPI8N4CCDN1tLugLtviRvb+6q6sX1HP8=;
  b=CBCNpPz7pYRUs/ZerJGhqJl3dlkjUNqsXNnSSDgXDOvf0OhPordqQ1Rm
   y921S/uXHg/AYseSF0FYgVd/J6FUwDhM+4J/2clGYeKZoTEFnYjhECPLP
   ou+z3yVzucfGCNQIWicI+vTBkKaVQSpmzot/ZnW8TBFNPFaAuung9tXzW
   ZV3FEkUXbk2wBQsrl3TDA6BhvkbMGCAMTFsp8EH542vYpXDu/6IcL7qvE
   yhk46xkf77X4/4IxrMmnZBQQ1P8JSvJiKYqYuyTeBenOk4tV+3K1cQXRr
   tGUykBXK26MIrTc/kdE3gPYdLwEtwB5Pw/97tlKmWBEssPlIRizahggtY
   A==;
X-CSE-ConnectionGUID: /3sCP8Y8SSCgKGwFWfV4LQ==
X-CSE-MsgGUID: ZAjMDX5VRQKGjteT9nm73g==
X-IronPort-AV: E=Sophos;i="6.16,212,1744063200"; 
   d="scan'208";a="368430612"
Received: from secmail.uni-muenster.de ([128.176.118.4])
  by UDCM-RELAY1.UNI-MUENSTER.DE with ESMTP; 05 Jun 2025 16:15:22 +0200
Received: from [192.168.178.27] (dynamic-093-131-247-098.93.131.pool.telefonica.de [93.131.247.98])
	by SECMAIL.UNI-MUENSTER.DE (Postfix) with ESMTPSA id 1F0E120ADF00;
	Thu,  5 Jun 2025 16:15:20 +0200 (CEST)
Message-ID: <b35e2342-0f02-4365-94cf-55052ac9bda1@uni-muenster.de>
Date: Thu, 5 Jun 2025 16:15:19 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: BUG #18943: Return value of a function 'xmlBufferCreate' is
 dereferenced at xpath.c:177 without checking for NUL
From: Jim Jones <jim.jones@uni-muenster.de>
To: Michael Paquier <michael@paquier.xyz>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-bugs@lists.postgresql.org,
 maralist86@mail.ru
References: <18943-2f2a04ab03904598@postgresql.org>
 <aD001M5BUG9GwF_Y@paquier.xyz> <aD53hVjiW-9C29VT@paquier.xyz>
 <861593.1748970933@sss.pgh.pa.us> <aEEingzOta_S_Nu7@paquier.xyz>
 <CAPLXN34Dr3Gbi+xJ6BgCeTyBJkMVe3cn7qxoADV72rC9ZHeBtQ@mail.gmail.com>
 <d2410ca0-c0dd-4f63-9e70-3d7a62a5d705@uni-muenster.de>
Content-Language: en-US, de-DE
In-Reply-To: <d2410ca0-c0dd-4f63-9e70-3d7a62a5d705@uni-muenster.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: <https://www.postgresql.org/message-id/b35e2342-0f02-4365-94cf-55052ac9bda1%40uni-muenster.de>
Precedence: bulk

On 05.06.25 11:47, Jim Jones wrote:
> Taking a further look at xml.c I am wondering if other functions might
> also need some attention in this regard:
> 
> * xmlTextWriterStartElement [3]
> * xmlTextWriterWriteAttribute [4]
> * xmlTextWriterWriteRaw [5]
> * xmlTextWriterEndAttribute [6]
> 
> We're assuming they never fail. Perhaps something like this?
>  ...
>  nbytes = xmlTextWriterStartElement(writer, (xmlChar *) xexpr->name);
>  if (nbytes == -1 || xmlerrcxt->err_occurred)
>     xml_ereport(xmlerrcxt, ERROR, ERRCODE_OUT_OF_MEMORY,
>                         "could not allocate xmlTextWriterStartElement");
> 

There is also a further xmlXPathCastNodeToString() call in xml.c at
xml_xmlnodetoxmltype() - it calls xmlNodeGetContent() and it can return
NULL.

xmlChar    *str;
str = xmlXPathCastNodeToString(cur);

PG_TRY();
{
  /* Here we rely on XML having the same representation as TEXT */
  char	   *escaped = escape_xml((char *) str);

  result = (xmltype *) cstring_to_text(escaped);
  pfree(escaped);
}
PG_FINALLY();
{
  xmlFree(str);
}
PG_END_TRY();

The function pgxmlNodeSetToText() also calls xmlXPathCastNodeToString(),
but apparently xmlBufferAdd() can handle NULL values.[1]

Best regards, Jim

1 -
https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/buf.c#L989