Guard against null arguments in binary_upgrade_create_empty_extension().

The CHECK_IS_BINARY_UPGRADE macro is not sufficient security protection if we're going to dereference pass-by-reference arguments before it. But in any case we really need to explicitly check PG_ARGISNULL for all the arguments of a non-strict function, not only the ones we expect null values for. Oversight in commits 30982be4e5 and f92fc4c95d. Found by Andreas Seltenreich. (The other usages in pg_upgrade_support.c seem safe.)
2024-09-05 23:39:21 +02:00 · 2016-01-03 16:26:38 -05:00 · 2016-01-03 16:26:38 -05:00 · ab1f08a3a4
commit ab1f08a3a4
parent 2e5c9284f6
1 changed files with 16 additions and 4 deletions
--- a/src/backend/utils/adt/pg_upgrade_support.c
+++ b/src/backend/utils/adt/pg_upgrade_support.c
@ -129,16 +129,28 @@ binary_upgrade_set_next_pg_authid_oid(PG_FUNCTION_ARGS)
 Datum
 binary_upgrade_create_empty_extension(PG_FUNCTION_ARGS)
 {
-	text	   *extName = PG_GETARG_TEXT_PP(0);
-	text	   *schemaName = PG_GETARG_TEXT_PP(1);
-	bool		relocatable = PG_GETARG_BOOL(2);
-	text	   *extVersion = PG_GETARG_TEXT_PP(3);
+	text	   *extName;
+	text	   *schemaName;
+	bool		relocatable;
+	text	   *extVersion;
 	Datum		extConfig;
 	Datum		extCondition;
 	List	   *requiredExtensions;

 	CHECK_IS_BINARY_UPGRADE;

+	/* We must check these things before dereferencing the arguments */
+	if (PG_ARGISNULL(0) ||
+		PG_ARGISNULL(1) ||
+		PG_ARGISNULL(2) ||
+		PG_ARGISNULL(3))
+		elog(ERROR, "null argument to binary_upgrade_create_empty_extension is not allowed");
+
+	extName = PG_GETARG_TEXT_PP(0);
+	schemaName = PG_GETARG_TEXT_PP(1);
+	relocatable = PG_GETARG_BOOL(2);
+	extVersion = PG_GETARG_TEXT_PP(3);
+
 	if (PG_ARGISNULL(4))
 		extConfig = PointerGetDatum(NULL);
 	else