From 5b0e7fe1d67235a092be1132bc5c97f1d7f29aaf Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Wed, 13 Oct 2021 16:38:07 +0900 Subject: [PATCH] Fix use-after-free with multirange types in CREATE TYPE The code was freeing the name of the multirange type function stored in the parse tree but it should not do that. Event triggers could for example look at such a corrupted parsed tree with a ddl_command_end event. Author: Alex Kozhemyakin, Sergey Shinderuk Reviewed-by: Peter Eisentraut, Michael Paquier Discussion: https://postgr.es/m/d5042d46-b9cd-6efb-219a-71ed0cf45bc8@postgrespro.ru Backpatch-through: 14 --- src/backend/commands/typecmds.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/backend/commands/typecmds.c b/src/backend/commands/typecmds.c index b290629a45..9ab4034179 100644 --- a/src/backend/commands/typecmds.c +++ b/src/backend/commands/typecmds.c @@ -1707,7 +1707,6 @@ DefineRange(ParseState *pstate, CreateRangeStmt *stmt) /* Create cast from the range type to its multirange type */ CastCreate(typoid, multirangeOid, castFuncOid, 'e', 'f', DEPENDENCY_INTERNAL); - pfree(multirangeTypeName); pfree(multirangeArrayName); return address;