Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1uN7Bk-00C8gH-UC
	for pgsql-bugs@arkaria.postgresql.org; Thu, 05 Jun 2025 09:47:09 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1uN7Bi-006k2m-HE
	for pgsql-bugs@arkaria.postgresql.org; Thu, 05 Jun 2025 09:47:07 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <jim.jones@uni-muenster.de>)
	id 1uN7Bi-006k0L-5R
	for pgsql-bugs@lists.postgresql.org; Thu, 05 Jun 2025 09:47:06 +0000
Received: from udcm-wwu1.uni-muenster.de ([128.176.118.7])
	by magus.postgresql.org with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jim.jones@uni-muenster.de>)
	id 1uN7Bg-000Kzr-2c
	for pgsql-bugs@lists.postgresql.org;
	Thu, 05 Jun 2025 09:47:06 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=uni-muenster.de; i=@uni-muenster.de; q=dns/txt;
  s=uniout; t=1749116824; x=1780652824;
  h=message-id:date:mime-version:subject:to:references:cc:
   from:in-reply-to:content-transfer-encoding;
  bh=riey0xyVUSlx7RImmu/cENJXQ8Myo2CKMGYS6wlNPsU=;
  b=knBfHurEzJY5XcJMawkrYtzMXa0wLN8XbbhcibsdDrgLvjCDo+MydXsP
   n1nKMMCqD1aeCOIegnE7NP/OKvs+OQEVP59Bmh/erXK2i2tmbLKysMBPX
   z0/Mlh1HYY+J97fBTIPrznWItdIMmz4CRBQhxOcH1z2Q/Tt9P3oPNyXBD
   gc6lKguEVOb/2ImXpSTBVNrFSZUTCerP6DpwYituuBbBjRDns5jBzbCB9
   kx+H3aOAvG9G5VUeDJOJeR0aXUZ0tKHJROp7Yq0k6Sq9AooLyfDI4DT6V
   /uUhjx48RiIZpiuwdRkaPyRn0iijVW8sD+6Agkb9hQ0053jG0cFtwm0MF
   Q==;
X-CSE-ConnectionGUID: 62OcmQzZTSKFWM3CGQSUyA==
X-CSE-MsgGUID: tVvOxTVsTEyiBh9zCI4Asg==
X-IronPort-AV: E=Sophos;i="6.16,211,1744063200"; 
   d="scan'208";a="368381029"
Received: from secmail.uni-muenster.de ([128.176.118.4])
  by UDCM-RELAY1.UNI-MUENSTER.DE with ESMTP; 05 Jun 2025 11:47:03 +0200
Received: from [192.168.178.27] (dynamic-093-131-247-098.93.131.pool.telefonica.de [93.131.247.98])
	by SECMAIL.UNI-MUENSTER.DE (Postfix) with ESMTPSA id 5CD8F20ADF00;
	Thu,  5 Jun 2025 11:47:02 +0200 (CEST)
Message-ID: <d2410ca0-c0dd-4f63-9e70-3d7a62a5d705@uni-muenster.de>
Date: Thu, 5 Jun 2025 11:47:01 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: BUG #18943: Return value of a function 'xmlBufferCreate' is
 dereferenced at xpath.c:177 without checking for NUL
To: Michael Paquier <michael@paquier.xyz>
References: <18943-2f2a04ab03904598@postgresql.org>
 <aD001M5BUG9GwF_Y@paquier.xyz> <aD53hVjiW-9C29VT@paquier.xyz>
 <861593.1748970933@sss.pgh.pa.us> <aEEingzOta_S_Nu7@paquier.xyz>
 <CAPLXN34Dr3Gbi+xJ6BgCeTyBJkMVe3cn7qxoADV72rC9ZHeBtQ@mail.gmail.com>
Content-Language: en-US, de-DE
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-bugs@lists.postgresql.org,
 maralist86@mail.ru
From: Jim Jones <jim.jones@uni-muenster.de>
In-Reply-To: <CAPLXN34Dr3Gbi+xJ6BgCeTyBJkMVe3cn7qxoADV72rC9ZHeBtQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: <https://www.postgresql.org/message-id/d2410ca0-c0dd-4f63-9e70-3d7a62a5d705%40uni-muenster.de>
Precedence: bulk

On 05.06.25 11:38, Jim Jones wrote:
> 
> 
> Hi Michael
> 
> Am Do., 5. Juni 2025 um 10:11 Uhr schrieb Michael Paquier
> <michael@paquier.xyz <mailto:michael@paquier.xyz>>:
> 
>     On Tue, Jun 03, 2025 at 01:15:33PM -0400, Tom Lane wrote:
>     > Thanks for taking this on --- contrib/xml2 is really a mess so far as
>     > error handling goes.  Your patch looks like an improvement, although
>     > I do have one concern: the routines in xml.c that use an xmlerrcxt
>     > seem to check xmlerrcxt->err_occurred pretty frequently, eg xmlStrdup
>     > is used like this:
>     >
>     >             doc->encoding = xmlStrdup((const xmlChar *) "UTF-8");
>     >             if (doc->encoding == NULL || xmlerrcxt->err_occurred)
>     >                 xml_ereport(xmlerrcxt, ERROR, ERRCODE_OUT_OF_MEMORY,
>     >                             "could not allocate XML document");
>     >
>     > Not sure if that's needed here.
> 
>     Yes, I was also wondering a bit about this part a couple of days ago
>     while looking at the module's code and xml.c.  Looking at cacd42d62cb2
>     and its thread (particularly [1]), I think that we need to bite the
>     bullet or we are going to miss some error context.
> 
>     PgXmlErrorContext can remain private in xml.c as we can reuse
>     pg_xml_error_occurred() to do the job for out-of-core code. 
> 
>     > There's more that could be looked at, if you feel like it:
> 
>     Well, now that you mention these things, I do feel like it while I
>     have my hands on this area of the code.
> 
>     > xml_encode_special_chars seems to need a PG_TRY block to avoid
>     > possibly leaking "tt".  I also wonder if it's really not possible
>     > for xmlEncodeSpecialChars to fail and return NULL.  (xmltext()
>     > doesn't believe that either, but maybe it's wrong too.)
> 
>     Oh, missed this call.  xmlEncodeSpecialChars() relies on
>     xmlEscapeText(), which can return NULL on allocation failures based
>     on a check in the upstream code (first argument of the routine is not
>     used, only second is).  So xmltext() and xml_encode_special_chars()
>     are both wrong; we need a try/catch block for the edge case where
>     cstring_to_text_with_len() or cstring_to_text() could fail an
>     allocation or we would leak what could have been allocated by libxml.
> 
> 
> Yeah, xmlEscapeText() does return NULL in some cases[1,2] and
> xmlEncodeSpecialChars() doesn't mind.
> 
> Taking a further look at xml.c I am wondering if other functions might
> also need some attention in this regard:
> 
> * xmlTextWriterStartElement [3]
> * xmlTextWriterWriteAttribute [4]
> * xmlTextWriterWriteRaw [5]
> * xmlTextWriterEndAttribute [6]
> 
> We're assuming they never fail. Perhaps something like this?
>  ...
>  nbytes = xmlTextWriterStartElement(writer, (xmlChar *) xexpr->name);
>  if (nbytes == -1 || xmlerrcxt->err_occurred)
>     xml_ereport(xmlerrcxt, ERROR, ERRCODE_OUT_OF_MEMORY,
>                         "could not allocate xmlTextWriterStartElement");
> 
> Best regards, Jim
> 
> 1 -
> https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlIO.c#L205 <https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlIO.c#L205>
> 2 -
> https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlIO.c#L284 <https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlIO.c#L284>
> 3 -
> https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlwriter.c#L967 <https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlwriter.c#L967>
> 4 -
> https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlwriter.c#L1950 <https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlwriter.c#L1950>
> 5 -
> https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlwriter.c#L1323 <https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlwriter.c#L1323>
> 6 -
> https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlwriter.c#L1839 <https://github.com/GNOME/libxml2/blob/2b6b3945f2df548b56f2c73c490dda9781f92eb2/xmlwriter.c#L1839> 
> 

Oups .. just replied to Michael.
Sorry!

Jim