While looking into the recent plperl NULL pointer dereference issue, which ended up as 4015abe14, I found a similar issue in plpython, with the help of an LLM tool (Claude 4.8).
There are 6 callers of PySequence_GetItem() in plpython, and none of
them checks the returned result before using it. PySequence_GetItem()
can return NULL whenever an element cannot be fetched, so an object
that claims a length it cannot actually deliver is enough to crash the
backend.
For example:
CREATE FUNCTION test() RETURNS int[] AS $$
class C:
def __len__(self):
return 2
def __getitem__(self, i):
raise ValueError('boom')
return C()
$$ LANGUAGE plpython3u;
SELECT test(); -- crashes
The attached patch checks the result of PySequence_GetItem() in each
place and errors out if it is NULL.
- Richard
v1-0001-plpython-Fix-NULL-pointer-dereference-for-broken-.patch
Description: Binary data
