Re: BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: 3020001251@tju.edu.cn
Cc: pgsql-bugs@lists.postgresql.org
Date: 2026-06-22T16:37:33Z
Lists: pgsql-bugs
PG Bug reporting form <noreply@postgresql.org> writes:
> Any role with `EXECUTE` on `encrypt_iv` (granted by default when pgcrypto is
> installed) can crash the backend with a single statement:

> ```sql
> CREATE EXTENSION IF NOT EXISTS pgcrypto;
> SELECT encrypt_iv(
>     repeat('A', 1073741308)::bytea,
>     decode('00112233445566778899aabbccddeeff', 'hex'),
>     decode('000102030405060708090a0b0c0d0e0f', 'hex'),
>     'aes'
> );
> ```

> The fix is to clear `od->owner` before calling `free_openssl_cipher` in
> `ResOwnerReleaseOSSLCipher`:

Good catch, thanks for the report!

			regards, tom lane



Commits

  1. pgcrypto: avoid recursive ResourceOwnerForget().