From 78d5952dd0e66afc4447eec07f770991fa406cce Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Sun, 16 Apr 2023 14:16:40 -0400 Subject: Ensure result of an aggregate's finalfunc is made read-only. The finalfunc might return a read-write expanded object. If we de-duplicate multiple call sites for the aggregate, any function(s) receiving the aggregate result earlier could alter or destroy the value that reaches the ones called later. This is a brown-paper-bag bug in commit 42b746d4c, because we actually considered the need for read-only-ness but failed to realize that it applied to the case with a finalfunc as well as the case without. Per report from Justin Pryzby. New error in HEAD, no need for back-patch. Discussion: https://postgr.es/m/ZDm5TuKsh3tzoEjz@telsasoft.com --- src/backend/executor/nodeAgg.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'src/backend/executor/nodeAgg.c') diff --git a/src/backend/executor/nodeAgg.c b/src/backend/executor/nodeAgg.c index 19342a420c1..28205f74331 100644 --- a/src/backend/executor/nodeAgg.c +++ b/src/backend/executor/nodeAgg.c @@ -1040,9 +1040,10 @@ process_ordered_aggregate_multi(AggState *aggstate, * (But note that in some cases, such as when there is no finalfn, the * result might be a pointer to or into the agg's transition value.) * - * The finalfn uses the state as set in the transno. This also might be + * The finalfn uses the state as set in the transno. This also might be * being used by another aggregate function, so it's important that we do - * nothing destructive here. + * nothing destructive here. Moreover, the aggregate's final value might + * get used in multiple places, so we mustn't return a R/W expanded datum. */ static void finalize_aggregate(AggState *aggstate, @@ -1116,8 +1117,13 @@ finalize_aggregate(AggState *aggstate, } else { - *resultVal = FunctionCallInvoke(fcinfo); + Datum result; + + result = FunctionCallInvoke(fcinfo); *resultIsNull = fcinfo->isnull; + *resultVal = MakeExpandedObjectReadOnly(result, + fcinfo->isnull, + peragg->resulttypeLen); } aggstate->curperagg = NULL; } @@ -1165,6 +1171,7 @@ finalize_partialaggregate(AggState *aggstate, else { FunctionCallInfo fcinfo = pertrans->serialfn_fcinfo; + Datum result; fcinfo->args[0].value = MakeExpandedObjectReadOnly(pergroupstate->transValue, @@ -1173,8 +1180,11 @@ finalize_partialaggregate(AggState *aggstate, fcinfo->args[0].isnull = pergroupstate->transValueIsNull; fcinfo->isnull = false; - *resultVal = FunctionCallInvoke(fcinfo); + result = FunctionCallInvoke(fcinfo); *resultIsNull = fcinfo->isnull; + *resultVal = MakeExpandedObjectReadOnly(result, + fcinfo->isnull, + peragg->resulttypeLen); } } else -- cgit v1.2.3