Re: [BUGS] BUG #3675: Crash on xpath function with 2 parameters
Kris Jurka <[EMAIL PROTECTED]> writes: > On Sat, 13 Oct 2007, Jeremy Palmer wrote: >> The following query crashes the backend: >> >> SELECT xpath('/my:a/text()', '> xmlns:my="http://example.com";>test'); >> > This patch avoids the double free of xpathcomp and fixes things for me. Hmm, I wonder why that doesn't crash here? It certainly looks pretty broken --- maybe some versions of libxml have internal defenses against this. Patch applied, and I also cleaned up some other places where an error escape might possibly lead to double free. (The other ones are probably not real risks, since libxml presumably doesn't elog, but we might as well try to make the code bulletproof in case more PG-aware code gets inserted in these paths.) regards, tom lane ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [BUGS] BUG #3675: Crash on xpath function with 2 parameters
On Sat, 13 Oct 2007, Jeremy Palmer wrote: The following bug has been logged online: Bug reference: 3675 PostgreSQL version: 8.3b1 Operating system: WinXP SP2 Description:Crash on xpath function with 2 parameters Details: The following query crashes the backend: SELECT xpath('/my:a/text()', 'http://example.com";>test'); This patch avoids the double free of xpathcomp and fixes things for me. Kris JurkaIndex: src/backend/utils/adt/xml.c === RCS file: /projects/cvsroot/pgsql/src/backend/utils/adt/xml.c,v retrieving revision 1.47 diff -c -r1.47 xml.c *** src/backend/utils/adt/xml.c 23 Sep 2007 21:36:42 - 1.47 --- src/backend/utils/adt/xml.c 13 Oct 2007 17:27:17 - *** *** 3184,3189 --- 3184,3191 xpathobj = xmlXPathCompiledEval(xpathcomp, xpathctx); xmlXPathFreeCompExpr(xpathcomp); + xpathcomp = NULL; + if (xpathobj == NULL) ereport(ERROR, (errmsg("could not create XPath object"))); /* TODO: reason? */ ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings