| From: | Andrew Gierth <rhodiumtoad(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Repair double-free in SP-GIST rescan (bug #15378) |
| Date: | 2018-09-11 18:58:52 |
| Message-ID: | E1fznsC-0005iq-FY@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Repair double-free in SP-GIST rescan (bug #15378)
spgrescan would first reset traversalCxt, and then traverse a
potentially non-empty stack containing pointers to traversalValues
which had been allocated in those contexts, freeing them a second
time. This bug originates in commit ccd6eb49a where traversalValue was
introduced.
Repair by traversing the stack before the context reset; this isn't
ideal, since it means doing retail pfree in a context that's about to
be reset, but the freeing of a stack entry is also done in other
places in the code during the scan so it's not worth trying to
refactor it further. Regression test added.
Backpatch to 9.6 where the problem was introduced.
Per bug #15378; analysis and patch by me, originally from a report on
IRC by user velix; see also PostGIS ticket #4174; review by Alexander
Korotkov.
Discussion: https://postgr.es/m/153663176628.23136.11901365223750051490@wrigleys.postgresql.org
Branch
------
REL9_6_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/84a3a1e55c86a104a8e259a43ed31814e010954f
Modified Files
--------------
src/backend/access/spgist/spgscan.c | 10 +++++++---
src/test/regress/expected/spgist.out | 18 ++++++++++++++++++
src/test/regress/sql/spgist.sql | 15 +++++++++++++++
3 files changed, 40 insertions(+), 3 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2018-09-11 20:11:45 | pgsql: Support building with Visual Studio 2017 |
| Previous Message | Tom Lane | 2018-09-11 02:22:25 | pgsql: Use -Bsymbolic for shared libraries on HP-UX and Solaris. |