Re: [BUGS] BUG #3675: Crash on xpath function with 2 parameters
Kris Jurka <[EMAIL PROTECTED]> writes:
> On Sat, 13 Oct 2007, Jeremy Palmer wrote:
>> The following query crashes the backend:
>>
>> SELECT xpath('/my:a/text()', '> xmlns:my="http://example.com";>test');
>>
> This patch avoids the double free of xpathcomp and fixes things for me.
Hmm, I wonder why that doesn't crash here? It certainly looks pretty
broken --- maybe some versions of libxml have internal defenses against
this.
Patch applied, and I also cleaned up some other places where an error
escape might possibly lead to double free. (The other ones are probably
not real risks, since libxml presumably doesn't elog, but we might as
well try to make the code bulletproof in case more PG-aware code gets
inserted in these paths.)
regards, tom lane
---(end of broadcast)---
TIP 2: Don't 'kill -9' the postmaster
Re: [BUGS] BUG #3675: Crash on xpath function with 2 parameters
On Sat, 13 Oct 2007, Jeremy Palmer wrote:
The following bug has been logged online:
Bug reference: 3675
PostgreSQL version: 8.3b1
Operating system: WinXP SP2
Description:Crash on xpath function with 2 parameters
Details:
The following query crashes the backend:
SELECT xpath('/my:a/text()', 'http://example.com";>test');
This patch avoids the double free of xpathcomp and fixes things for me.
Kris JurkaIndex: src/backend/utils/adt/xml.c
===
RCS file: /projects/cvsroot/pgsql/src/backend/utils/adt/xml.c,v
retrieving revision 1.47
diff -c -r1.47 xml.c
*** src/backend/utils/adt/xml.c 23 Sep 2007 21:36:42 - 1.47
--- src/backend/utils/adt/xml.c 13 Oct 2007 17:27:17 -
***
*** 3184,3189
--- 3184,3191
xpathobj = xmlXPathCompiledEval(xpathcomp, xpathctx);
xmlXPathFreeCompExpr(xpathcomp);
+ xpathcomp = NULL;
+
if (xpathobj == NULL)
ereport(ERROR, (errmsg("could not create XPath
object"))); /* TODO: reason? */
---(end of broadcast)---
TIP 5: don't forget to increase your free space map settings
