Fix obscure segfault condition in PL/Python

In PLy_output(), when the elog() call in the TRY branch throws an exception (this can happen when a statement timeout kicks in, for example), the PyErr_SetString() call in the CATCH branch can cause a segfault, because the Py_XDECREF(so) call before it releases memory that is still used by the sv variable that PyErr_SetString() uses as argument, because sv points into memory owned by so. Backpatched back to 8.0, where this code was introduced. I also threw in a couple of volatile declarations for variables that are used before and after the TRY. I don't think they caused the crash that I observed, but they could become issues.

Fix obscure segfault condition in PL/Python
In PLy_output(), when the elog() call in the TRY branch throws an exception (this can happen when a statement timeout kicks in, for example), the PyErr_SetString() call in the CATCH branch can cause a segfault, because the Py_XDECREF(so) call before it releases memory that is still used by the sv variable that PyErr_SetString() uses as argument, because sv points into memory owned by so. Backpatched back to 8.0, where this code was introduced. I also threw in a couple of volatile declarations for variables that are used before and after the TRY. I don't think they caused the crash that I observed, but they could become issues.
92504858 · Peter Eisentraut · 2a47208a · 92504858
隐藏空白更改
内联并排

Showing with 7 addition and 4 deletion

src/pl/plpython/plpython.c src/pl/plpython/plpython.c +7 -4

未找到文件。
--- a/src/pl/plpython/plpython.c
+++ b/src/pl/plpython/plpython.c
 /**********************************************************************
 * plpython.c - python as a procedural language for PostgreSQL
 *
- *	$PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.106 2008/01/02 03:10:27 tgl Exp $
+ *	$PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.106.2.1 2009/11/03 08:44:52 petere Exp $
 *
 *********************************************************************
 */
@@ -2840,9 +2840,9 @@ PLy_fatal(PyObject * self, PyObject * args)
 static PyObject *
 PLy_output(volatile int level, PyObject * self, PyObject * args)
 {
-	PyObject   *so;
+	PyObject   *volatile so;
 	char	   *volatile sv;
-	MemoryContext oldcontext;
+	volatile MemoryContext oldcontext;
 	so = PyObject_Str(args);
 	if (so == NULL || ((sv = PyString_AsString(so)) == NULL))
@@ -2861,6 +2861,10 @@ PLy_output(volatile int level, PyObject * self, PyObject * args)
 		MemoryContextSwitchTo(oldcontext);
 		PLy_error_in_progress = CopyErrorData();
 		FlushErrorState();
+		PyErr_SetString(PLy_exc_error, sv);
+		/* Note: If sv came from PyString_AsString(), it points into
+		 * storage owned by so.  So free so after using sv. */
 		Py_XDECREF(so);
 		/*
@@ -2868,7 +2872,6 @@ PLy_output(volatile int level, PyObject * self, PyObject * args)
 		 * control passes back to PLy_procedure_call, we check for PG
 		 * exceptions and re-throw the error.
 		 */
-		PyErr_SetString(PLy_exc_error, sv);
 		return NULL;
 	}
 	PG_END_TRY();