Fix null-dereference crash in parse_xml_decl().

tglsfdc · tglsfdc · commit 5e1365a96506 · 2011-05-28T12:36:04.000-04:00
parse_xml_decl's header comment says you can pass NULL for any unwanted
output parameter, but it failed to honor this contract for the "standalone"
flag.  The only currently-affected caller is xml_recv, so the net effect is
that sending a binary XML value containing a standalone parameter in its
xml declaration would crash the backend.  Per bug #6044 from Christopher
Dillard.

In passing, remove useless initializations of parse_xml_decl's output
parameters in xml_parse.

Back-patch to 8.3, where this code was introduced.
diff --git a/src/backend/utils/adt/xml.c b/src/backend/utils/adt/xml.c
@@ -1067,13 +1067,15 @@ parse_xml_decl(const xmlChar *str, size_t *lenp,
 		if (xmlStrncmp(p, (xmlChar *) "'yes'", 5) == 0 ||
 			xmlStrncmp(p, (xmlChar *) "\"yes\"", 5) == 0)
 		{
-			*standalone = 1;
+			if (standalone)
+				*standalone = 1;
 			p += 5;
 		}
 		else if (xmlStrncmp(p, (xmlChar *) "'no'", 4) == 0 ||
 				 xmlStrncmp(p, (xmlChar *) "\"no\"", 4) == 0)
 		{
-			*standalone = 0;
+			if (standalone)
+				*standalone = 0;
 			p += 4;
 		}
 		else
@@ -1218,8 +1220,8 @@ xml_parse(text *data, XmlOptionType xmloption_arg, bool preserve_whitespace,
 		{
 			int			res_code;
 			size_t		count;
-			xmlChar    *version = NULL;
-			int			standalone = -1;
+			xmlChar    *version;
+			int			standalone;
 
 			res_code = parse_xml_decl(utf8string,
 									  &count, &version, NULL, &standalone);

Original file line number	Diff line number	Diff line change
`@@ -1067,13 +1067,15 @@ parse_xml_decl(const xmlChar str, size_t lenp,`
`1067`	`1067`	`if (xmlStrncmp(p, (xmlChar *) "'yes'", 5) == 0 \|\|`
`1068`	`1068`	`xmlStrncmp(p, (xmlChar *) "\"yes\"", 5) == 0)`
`1069`	`1069`	`{`
`1070`		`- *standalone = 1;`
	`1070`	`+ if (standalone)`
	`1071`	`+ *standalone = 1;`
`1071`	`1072`	`p += 5;`
`1072`	`1073`	`}`
`1073`	`1074`	`else if (xmlStrncmp(p, (xmlChar *) "'no'", 4) == 0 \|\|`
`1074`	`1075`	`xmlStrncmp(p, (xmlChar *) "\"no\"", 4) == 0)`
`1075`	`1076`	`{`
`1076`		`- *standalone = 0;`
	`1077`	`+ if (standalone)`
	`1078`	`+ *standalone = 0;`
`1077`	`1079`	`p += 4;`
`1078`	`1080`	`}`
`1079`	`1081`	`else`
`@@ -1218,8 +1220,8 @@ xml_parse(text *data, XmlOptionType xmloption_arg, bool preserve_whitespace,`
`1218`	`1220`	`{`
`1219`	`1221`	`int res_code;`
`1220`	`1222`	`size_t count;`
`1221`		`- xmlChar *version = NULL;`
`1222`		`- int standalone = -1;`
	`1223`	`+ xmlChar *version;`
	`1224`	`+ int standalone;`
`1223`	`1225`
`1224`	`1226`	`res_code = parse_xml_decl(utf8string,`
`1225`	`1227`	`&count, &version, NULL, &standalone);`