From 1ef3f3cde3d2c5ff233209be01f58825a84348ab Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Tue, 3 Nov 2009 08:12:46 +0000 Subject: [PATCH] Fix obscure segfault condition in PL/Python In PLy_output(), when the elog() call in the TRY branch throws an exception (this can happen when a statement timeout kicks in, for example), the PyErr_SetString() call in the CATCH branch can cause a segfault, because the Py_XDECREF(so) call before it releases memory that is still used by the sv variable that PyErr_SetString() uses as argument, because sv points into memory owned by so. Backpatched back to 8.0, where this code was introduced. I also threw in a couple of volatile declarations for variables that are used before and after the TRY. I don't think they caused the crash that I observed, but they could become issues. --- src/pl/plpython/plpython.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/pl/plpython/plpython.c b/src/pl/plpython/plpython.c index 98b7dfbc3b3..53c298bae53 100644 --- a/src/pl/plpython/plpython.c +++ b/src/pl/plpython/plpython.c @@ -29,7 +29,7 @@ * MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. * * IDENTIFICATION - * $PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.66.2.6 2008/07/28 18:45:05 tgl Exp $ + * $PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.66.2.7 2009/11/03 08:12:46 petere Exp $ * ********************************************************************* */ @@ -2410,9 +2410,9 @@ PLy_fatal(PyObject * self, PyObject * args) static PyObject * PLy_output(volatile int level, PyObject * self, PyObject * args) { - PyObject *so; + PyObject *volatile so; char *volatile sv; - MemoryContext oldcontext; + volatile MemoryContext oldcontext; so = PyObject_Str(args); if ((so == NULL) || ((sv = PyString_AsString(so)) == NULL)) @@ -2431,6 +2431,10 @@ PLy_output(volatile int level, PyObject * self, PyObject * args) MemoryContextSwitchTo(oldcontext); PLy_error_in_progress = CopyErrorData(); FlushErrorState(); + + PyErr_SetString(PLy_exc_error, sv); + /* Note: If sv came from PyString_AsString(), it points into + * storage owned by so. So free so after using sv. */ Py_XDECREF(so); /* @@ -2438,7 +2442,6 @@ PLy_output(volatile int level, PyObject * self, PyObject * args) * control passes back to PLy_procedure_call, we check for PG * exceptions and re-throw the error. */ - PyErr_SetString(PLy_exc_error, sv); return NULL; } PG_END_TRY();