Check column list length in XMLTABLE/JSON_TABLE alias

We weren't checking the length of the column list in the alias clause of an XMLTABLE or JSON_TABLE function (a "tablefunc" RTE), and it was possible to make the server crash by passing an overly long one. Fix it by throwing an error in that case, like the other places that deal with alias lists. In passing, modify the equivalent test used for join RTEs to look like the other ones, which was different for no apparent reason. This bug came in when XMLTABLE was born in version 10; backpatch to all stable versions. Reported-by: Wang Ke <krking@zju.edu.cn> Discussion: https://postgr.es/m/17480-1c9d73565bb28e90@postgresql.org
2025-06-29 10:41:53 +03:00 · 2022-05-18 20:28:31 +02:00
parent 2e9559b302
commit 80656f00f8
10 changed files with 40 additions and 15 deletions
--- a/src/backend/parser/parse_clause.c
+++ b/src/backend/parser/parse_clause.c
@ -1434,21 +1434,6 @@ transformFromClauseItem(ParseState *pstate, Node *n,
 									&res_colnames, &res_colvars,
 									res_nscolumns + res_colindex);

-		/*
-		 * Check alias (AS clause), if any.
-		 */
-		if (j->alias)
-		{
-			if (j->alias->colnames != NIL)
-			{
-				if (list_length(j->alias->colnames) > list_length(res_colnames))
-					ereport(ERROR,
-							(errcode(ERRCODE_SYNTAX_ERROR),
-							 errmsg("column alias list for \"%s\" has too many entries",
-									j->alias->aliasname)));
-			}
-		}
-
 		/*
 		 * Now build an RTE and nsitem for the result of the join.
 		 * res_nscolumns isn't totally done yet, but that's OK because
--- a/src/backend/parser/parse_relation.c
+++ b/src/backend/parser/parse_relation.c
@ -1963,6 +1963,12 @@ addRangeTableEntryForTableFunc(ParseState *pstate,
 		eref->colnames = list_concat(eref->colnames,
 									 list_copy_tail(tf->colnames, numaliases));

+	if (numaliases > list_length(tf->colnames))
+		ereport(ERROR,
+				(errcode(ERRCODE_INVALID_COLUMN_REFERENCE),
+				 errmsg("%s function has %d columns available but %d columns specified",
+						"XMLTABLE", list_length(tf->colnames), numaliases)));
+
 	rte->eref = eref;

 	/*
@ -2140,6 +2146,12 @@ addRangeTableEntryForJoin(ParseState *pstate,
 		eref->colnames = list_concat(eref->colnames,
 									 list_copy_tail(colnames, numaliases));

+	if (numaliases > list_length(colnames))
+		ereport(ERROR,
+				(errcode(ERRCODE_INVALID_COLUMN_REFERENCE),
+				 errmsg("join expression \"%s\" has %d columns available but %d columns specified",
+						eref->aliasname, list_length(colnames), numaliases)));
+
 	rte->eref = eref;

 	/*