Fix jsonb_object_agg crash after eliminating null-valued pairs. In commit b61aa76e4 I added an assumption in jsonb_object_agg_finalfn that it'd be okay to apply uniqueifyJsonbObject repeatedly to a JsonbValue. I should have studied that code more closely first, because in skip_nulls mode it removed leading nulls by changing the "pairs" array start pointer. This broke the data structure's invariants in two ways: pairs no longer references a repalloc-able chunk, and the distance from pairs to the end of its array is less than parseState->size. So any subsequent addition of more pairs is at high risk of clobbering memory and/or causing repalloc to crash. Unfortunately, adding more pairs is exactly what will happen when the aggregate is being used as a window function.
Fix by rewriting uniqueifyJsonbObject to not do that. The prior coding had little to recommend it anyway. Reported-by: Alexander Lakhin <[email protected]> Author: Tom Lane <[email protected]> Discussion: https://postgr.es/m/[email protected] Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/ef5f559b95e2883c32d20d309d316f0572fd84b5 Modified Files -------------- src/backend/utils/adt/jsonb.c | 7 ++++-- src/backend/utils/adt/jsonb_util.c | 49 +++++++++++++++---------------------- src/test/regress/expected/jsonb.out | 32 ++++++++++++++++++++++++ src/test/regress/sql/jsonb.sql | 6 +++++ 4 files changed, 63 insertions(+), 31 deletions(-)
