[PATCH 1/2] Fix libxml string leak in contrib/xml2 xpath_list
Andrey Chernyy <andrey.cherny@tantorlabs.com>
From: Andrey Chernyy <andrey.cherny@tantorlabs.com>
To:
Date: 2026-05-25T19:12:02Z
Lists: pgsql-hackers
xmlXPathCastNodeToString() returns a libxml-allocated xmlChar *, but
pgxmlNodeSetToText() passed it directly to xmlBufferWriteCHAR() in the
plain separator path. Since xmlBufferWriteCHAR() copies the string
rather than taking ownership, successful xpath_list() calls leaked one
string per emitted node.
Store the cast result locally and free it with xmlFree() after writing it
to the buffer.
---
contrib/xml2/xpath.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/contrib/xml2/xpath.c b/contrib/xml2/xpath.c
index 7bf477e0c3f..94819961787 100644
--- a/contrib/xml2/xpath.c
+++ b/contrib/xml2/xpath.c
@@ -147,6 +147,7 @@ pgxmlNodeSetToText(xmlNodeSetPtr nodeset,
{
volatile xmlBufferPtr buf = NULL;
xmlChar *volatile result = NULL;
+ xmlChar *volatile str = NULL;
PgXmlErrorContext *xmlerrcxt;
/* spin up some error handling */
@@ -172,8 +173,14 @@ pgxmlNodeSetToText(xmlNodeSetPtr nodeset,
{
if (plainsep != NULL)
{
- xmlBufferWriteCHAR(buf,
- xmlXPathCastNodeToString(nodeset->nodeTab[i]));
+ str = xmlXPathCastNodeToString(nodeset->nodeTab[i]);
+ if (str == NULL || pg_xml_error_occurred(xmlerrcxt))
+ xml_ereport(xmlerrcxt, ERROR, ERRCODE_OUT_OF_MEMORY,
+ "could not allocate node text");
+
+ xmlBufferWriteCHAR(buf, str);
+ xmlFree(str);
+ str = NULL;
/* If this isn't the last entry, write the plain sep. */
if (i < (nodeset->nodeNr) - 1)
@@ -216,6 +223,8 @@ pgxmlNodeSetToText(xmlNodeSetPtr nodeset,
}
PG_CATCH();
{
+ if (str)
+ xmlFree(str);
if (buf)
xmlBufferFree(buf);
--
2.54.0
--MP_/T7YUrG7W2jPQOBsjEYwqj9B
Content-Type: text/x-patch
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=0002-Fix-libxml-leaks-in-contrib-xml2-xpath_table.patch