From 873cb8fca9b14bde3e1d5577fcbb7b76d303076d Mon Sep 17 00:00:00 2001 From: Alvaro Herrera Date: Tue, 15 Sep 2020 21:03:14 -0300 Subject: Fix use-after-free bug with event triggers in an extension script ALTER TABLE commands in an extension script are added to an event trigger command list; but starting with commit b5810de3f4 they do so in a memory context that's too short-lived, so when execution ends and time comes to use the entries, they've already been freed. (This would also be a problem with ALTER TABLE commands in a multi-command query string, but these serendipitously end in PortalContext -- which probably explains why it took so long for this to be reported.) Fix by using the memory context specifically set for that, instead. Backpatch to 13, where the aforementioned commit appeared. Reported-by: Philippe Beaudoin Author: Jehan-Guillaume de Rorthais Discussion: https://postgr.es/m/20200902193715.6e0269d4@firost --- src/backend/commands/event_trigger.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/backend/commands/event_trigger.c') diff --git a/src/backend/commands/event_trigger.c b/src/backend/commands/event_trigger.c index 02ab40eaac7..b6894cbf76b 100644 --- a/src/backend/commands/event_trigger.c +++ b/src/backend/commands/event_trigger.c @@ -1667,9 +1667,15 @@ EventTriggerAlterTableEnd(void) /* If no subcommands, don't collect */ if (list_length(currentEventTriggerState->currentCommand->d.alterTable.subcmds) != 0) { + MemoryContext oldcxt; + + oldcxt = MemoryContextSwitchTo(currentEventTriggerState->cxt); + currentEventTriggerState->commandList = lappend(currentEventTriggerState->commandList, currentEventTriggerState->currentCommand); + + MemoryContextSwitchTo(oldcxt); } else pfree(currentEventTriggerState->currentCommand); -- cgit v1.2.3