NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitce5aaea

committed

Fix oversight in handling of modifiedCols sincef245236

Commitf245236 fixed a memory leak by moving the modifiedCols bitmapinto the per-row memory context. In the case of AFTER UPDATE triggers,the bitmap is however referenced from an event kept until the end of thequery, resulting in a use-after-free bug.Fixed by copying the bitmap into the AfterTriggerEvents memory context,which is the one where we keep the trigger events. There's only oneplace that needs to do the copy, but the memory context may not existyet. Doing that in a separate function seems more readable.Report by Alexander Pyhalov, fix by me. Backpatch to 13, where thebitmap was added to the event by commit71d60e2.Reported-by: Alexander PyhalovBackpatch-through: 13Discussion:https://postgr.es/m/acddb17c89b0d6cb940eaeda18c08bbe@postgrespro.ru

1 parent98640f9 commitce5aaeaCopy full SHA for ce5aaea

File tree

1 file changed

+32

-1

lines changed

src/backend/commands
- trigger.c

1 file changed

+32

-1

lines changed

`‎src/backend/commands/trigger.c`

Lines changed: 32 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -3976,6 +3976,37 @@ afterTriggerCheckState(AfterTriggerShared evtshared)`
`3976`	`3976`	`return ((evtshared->ats_event&AFTER_TRIGGER_INITDEFERRED)!=0);`
`3977`	`3977`	`}`
`3978`	`3978`
	`3979`	`+/* ----------`
	`3980`	`+ * afterTriggerCopyBitmap()`
	`3981`	`+ *`
	`3982`	`+ * Copy bitmap into AfterTriggerEvents memory context, which is where the after`
	`3983`	`+ * trigger events are kept.`
	`3984`	`+ * ----------`
	`3985`	`+ */`
	`3986`	`+staticBitmapset*`
	`3987`	`+afterTriggerCopyBitmap(Bitmapset*src)`
	`3988`	`+{`
	`3989`	`+Bitmapset*dst;`
	`3990`	`+MemoryContextoldcxt;`
	`3991`	`+`
	`3992`	`+if (src==NULL)`
	`3993`	`+returnNULL;`
	`3994`	`+`
	`3995`	`+/* Create event context if we didn't already */`
	`3996`	`+if (afterTriggers.event_cxt==NULL)`
	`3997`	`+afterTriggers.event_cxt=`
	`3998`	`+AllocSetContextCreate(TopTransactionContext,`
	`3999`	`+"AfterTriggerEvents",`
	`4000`	`+ALLOCSET_DEFAULT_SIZES);`
	`4001`	`+`
	`4002`	`+oldcxt=MemoryContextSwitchTo(afterTriggers.event_cxt);`
	`4003`	`+`
	`4004`	`+dst=bms_copy(src);`
	`4005`	`+`
	`4006`	`+MemoryContextSwitchTo(oldcxt);`
	`4007`	`+`
	`4008`	`+returndst;`
	`4009`	`+}`
`3979`	`4010`
`3980`	`4011`	`/* ----------`
`3981`	`4012`	`* afterTriggerAddEvent()`
`@@ -6387,7 +6418,7 @@ AfterTriggerSaveEvent(EState estate, ResultRelInfo relinfo,`
`6387`	`6418`	`new_shared.ats_table=transition_capture->tcs_private;`
`6388`	`6419`	`else`
`6389`	`6420`	`new_shared.ats_table=NULL;`
`6390`		`-new_shared.ats_modifiedcols=modifiedCols;`
	`6421`	`+new_shared.ats_modifiedcols=afterTriggerCopyBitmap(modifiedCols);`
`6391`	`6422`
`6392`	`6423`	`afterTriggerAddEvent(&afterTriggers.query_stack[afterTriggers.query_depth].events,`
`6393`	`6424`	`&new_event,&new_shared);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitce5aaea

File tree

1 file changed

1 file changed

`‎src/backend/commands/trigger.c`

0 commit comments