Commit 6c40838
authored
Fix substring() crash when start-offset is NULL and length is supplied (#2401)
age_substring() reads the null map produced by extract_variadic_args()
and rejects null offset/length with this guard:
if ((nargs == 2 && nulls[1]) ||
(nargs == 3 && nulls[2]))
{
ereport(ERROR, ..., errmsg("substring() offset or length cannot be null"));
}
The condition only checks nulls[1] in the 2-argument form. When the
caller passes `substring(str, null, len)` the function takes nargs = 3,
nulls[1] = true, but the guard above does not fire. Execution reaches
the numeric-parameter loop below, which reads args[1] through
DatumGetInt32 / DATUM_GET_AGTYPE_P without ever re-checking nulls[i].
The Datum in that slot is undefined, the dereference segfaults, and
the PostgreSQL backend terminates - not a query error but a
connection-level crash (#2386).
Widen the guard to nargs >= 2 && nulls[1] so it catches start-is-null
in both the 2-arg and 3-arg forms. nulls[2] is still only checked
when nargs == 3. No behaviour change on any non-null path; the
connection-crash case is now reported as a normal query error,
matching the intent the existing error message already implies.1 parent bdc8b6d commit 6c40838
1 file changed
Lines changed: 9 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8639 | 8639 | | |
8640 | 8640 | | |
8641 | 8641 | | |
8642 | | - | |
8643 | | - | |
| 8642 | + | |
| 8643 | + | |
| 8644 | + | |
| 8645 | + | |
| 8646 | + | |
| 8647 | + | |
| 8648 | + | |
| 8649 | + | |
| 8650 | + | |
8644 | 8651 | | |
8645 | 8652 | | |
8646 | 8653 | | |
| |||
0 commit comments