Re: BUG #18943: Return value of a function 'xmlBufferCreate' is dereferenced at xpath.c:177 without checking for NUL
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Michael Paquier <michael@paquier.xyz>
Cc: maralist86@mail.ru, pgsql-bugs@lists.postgresql.org
Date: 2025-06-03T17:15:33Z
Lists: pgsql-bugs
Michael Paquier <michael@paquier.xyz> writes:
> I'll try to have a second look at this patch in a couple of weeks.
> For now, I have added it to the next comment fest:
> https://commitfest.postgresql.org/patch/5794/
> If somebody would like to chime in, feel free.
Thanks for taking this on --- contrib/xml2 is really a mess so far as
error handling goes. Your patch looks like an improvement, although
I do have one concern: the routines in xml.c that use an xmlerrcxt
seem to check xmlerrcxt->err_occurred pretty frequently, eg xmlStrdup
is used like this:
doc->encoding = xmlStrdup((const xmlChar *) "UTF-8");
if (doc->encoding == NULL || xmlerrcxt->err_occurred)
xml_ereport(xmlerrcxt, ERROR, ERRCODE_OUT_OF_MEMORY,
"could not allocate XML document");
Not sure if that's needed here.
There's more that could be looked at, if you feel like it:
xml_encode_special_chars seems to need a PG_TRY block to avoid
possibly leaking "tt". I also wonder if it's really not possible
for xmlEncodeSpecialChars to fail and return NULL. (xmltext()
doesn't believe that either, but maybe it's wrong too.)
The usage of cleanup_workspace seems quite a mess: one caller
uses a PG_TRY block to ensure it's called, but the rest don't.
I also find it confusing that pgxml_xpath returns a value that is
also referenced in the workspace and cleanup_workspace is responsible
for freeing. I wonder if there's a better way to do that.
In the end of xslt_process, I wonder why
if (resstr)
xmlFree((xmlChar *) resstr);
isn't done before the pg_xml_done call.
regards, tom lane
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
xml2: Fix failure with xslt_process() under -fsanitize=undefined
- 70f7c5badcc0 14.23 landed
- 0b0041b942f7 15.18 landed
- 5f46c617e95f 16.14 landed
- 63aa4342da23 17.10 landed
- e33a4fda0027 18.4 landed
- 7d64419f8073 19 (unreleased) landed
-
Fix misuse of "volatile" in xml.c
- 6307b096e259 19 (unreleased) landed
-
xml2: Improve error handling of libxml2 calls
- 732061150b00 19 (unreleased) landed
-
Improve error handling of libxml2 calls in xml.c
- 2e947217474c 19 (unreleased) landed