NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commit8c6633f

committed

Compute aggregate argument types correctly in transformAggregateCall().

transformAggregateCall() captures the datatypes of the aggregate'sarguments immediately to construct the Aggref.aggargtypes list.This seems reasonable because the arguments have already beentransformed --- but there is an edge case where they haven't been.Specifically, if we have an unknown-type literal in an ANY argumentposition, nothing will have been done with it earlier. But if wealso have DISTINCT, then addTargetToGroupList() converts the literalto "text" type, resulting in the aggargtypes list not matching theactual runtime type of the argument. The end result is that theaggregate tries to interpret a "text" value as being of type"unknown", that is a zero-terminated C string. If the text valuecontains no zero bytes, this could result in disclosure of servermemory following the text literal value.To fix, move the collection of the aggargtypes list to the endof transformAggregateCall(), after DISTINCT has been handled.This requires slightly more code, but not a great deal.Our thanks to Jingzhou Fu for reporting this problem.Security:CVE-2023-5868

1 parenta27be40 commit8c6633fCopy full SHA for 8c6633f

File tree

3 files changed

+33

-12

lines changed

src
- backend/parser
  - parse_agg.c
- test/regress
  - expected
    - jsonb.out
  - sql
    - jsonb.sql

3 files changed

+33

-12

lines changed

`‎src/backend/parser/parse_agg.c`

Lines changed: 23 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -111,18 +111,6 @@ transformAggregateCall(ParseState pstate, Aggref agg,`
`111`	`111`	`intsave_next_resno;`
`112`	`112`	`ListCell*lc;`
`113`	`113`
`114`		`-/*`
`115`		`- * Before separating the args into direct and aggregated args, make a list`
`116`		`- * of their data type OIDs for use later.`
`117`		`- */`
`118`		`-foreach(lc,args)`
`119`		`-{`
`120`		`-Exprarg= (Expr)lfirst(lc);`
`121`		`-`
`122`		`-argtypes=lappend_oid(argtypes,exprType((Node*)arg));`
`123`		`-}`
`124`		`-agg->aggargtypes=argtypes;`
`125`		`-`
`126`	`114`	`if (AGGKIND_IS_ORDERED_SET(agg->aggkind))`
`127`	`115`	`{`
`128`	`116`	`/*`
`@@ -234,6 +222,29 @@ transformAggregateCall(ParseState pstate, Aggref agg,`
`234`	`222`	`agg->aggorder=torder;`
`235`	`223`	`agg->aggdistinct=tdistinct;`
`236`	`224`
	`225`	`+/*`
	`226`	`+ * Now build the aggargtypes list with the type OIDs of the direct and`
	`227`	`+ * aggregated args, ignoring any resjunk entries that might have been`
	`228`	`+ * added by ORDER BY/DISTINCT processing. We can't do this earlier`
	`229`	`+ * because said processing can modify some args' data types, in particular`
	`230`	`+ * by resolving previously-unresolved "unknown" literals.`
	`231`	`+ */`
	`232`	`+foreach(lc,agg->aggdirectargs)`
	`233`	`+{`
	`234`	`+Exprarg= (Expr)lfirst(lc);`
	`235`	`+`
	`236`	`+argtypes=lappend_oid(argtypes,exprType((Node*)arg));`
	`237`	`+}`
	`238`	`+foreach(lc,tlist)`
	`239`	`+{`
	`240`	`+TargetEntrytle= (TargetEntry)lfirst(lc);`
	`241`	`+`
	`242`	`+if (tle->resjunk)`
	`243`	`+continue;/* ignore junk */`
	`244`	`+argtypes=lappend_oid(argtypes,exprType((Node*)tle->expr));`
	`245`	`+}`
	`246`	`+agg->aggargtypes=argtypes;`
	`247`	`+`
`237`	`248`	`check_agglevels_and_constraints(pstate, (Node*)agg);`
`238`	`249`	`}`
`239`	`250`

`‎src/test/regress/expected/jsonb.out`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1523,6 +1523,13 @@ SELECT jsonb_object_agg(name, type) FROM foo;`
`1523`	`1523`	`INSERT INTO foo VALUES (999999, NULL, 'bar');`
`1524`	`1524`	`SELECT jsonb_object_agg(name, type) FROM foo;`
`1525`	`1525`	`ERROR: field name must not be null`
	`1526`	`+-- edge case for parser`
	`1527`	`+SELECT jsonb_object_agg(DISTINCT 'a', 'abc');`
	`1528`	`+ jsonb_object_agg`
	`1529`	`+------------------`
	`1530`	`+ {"a": "abc"}`
	`1531`	`+(1 row)`
	`1532`	`+`
`1526`	`1533`	`-- jsonb_object`
`1527`	`1534`	`-- empty object, one dimension`
`1528`	`1535`	`SELECT jsonb_object('{}');`

`‎src/test/regress/sql/jsonb.sql`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -376,6 +376,9 @@ SELECT jsonb_object_agg(name, type) FROM foo;`
`376`	`376`	`INSERT INTO fooVALUES (999999,NULL,'bar');`
`377`	`377`	`SELECT jsonb_object_agg(name, type)FROM foo;`
`378`	`378`
	`379`	`+-- edge case for parser`
	`380`	`+SELECT jsonb_object_agg(DISTINCT'a','abc');`
	`381`	`+`
`379`	`382`	`-- jsonb_object`
`380`	`383`
`381`	`384`	`-- empty object, one dimension`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit8c6633f

File tree

3 files changed

3 files changed

`‎src/backend/parser/parse_agg.c`

`‎src/test/regress/expected/jsonb.out`

`‎src/test/regress/sql/jsonb.sql`

0 commit comments