From 52635c276fe352276c157ccea36d7655729d328d Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Mon, 6 May 2019 21:44:39 +0900 Subject: Fix tuple printing in error message of tuple routing for partitions With correctly crafted DDLs, this could lead to disclosure of arbitrary backend memory a user may have no right to access. This impacts only REL_11_STABLE, as the issue has been introduced by 34295b8. On HEAD, add regression tests to cover this issue in the future. Author: Michael Paquier Reviewed-by: Noah Misch Security: CVE-2019-10129 --- src/backend/executor/execPartition.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/backend/executor') diff --git a/src/backend/executor/execPartition.c b/src/backend/executor/execPartition.c index 8061c7e449d..0595d6bf1d6 100644 --- a/src/backend/executor/execPartition.c +++ b/src/backend/executor/execPartition.c @@ -329,10 +329,6 @@ ExecFindPartition(ResultRelInfo *resultRelInfo, PartitionDispatch *pd, } } - /* Release the tuple in the lowest parent's dedicated slot. */ - if (myslot != slot) - ExecClearTuple(myslot); - /* A partition was not found. */ if (result < 0) { @@ -348,6 +344,10 @@ ExecFindPartition(ResultRelInfo *resultRelInfo, PartitionDispatch *pd, val_desc ? errdetail("Partition key of the failing row contains %s.", val_desc) : 0)); } + /* Release the tuple in the lowest parent's dedicated slot. */ + if (myslot != slot) + ExecClearTuple(myslot); + MemoryContextSwitchTo(oldcxt); ecxt->ecxt_scantuple = ecxt_scantuple_old; -- cgit v1.2.3