Guard against null arguments in binary_upgrade_create_empty_extension().

tglsfdc · tglsfdc · commit 939d10cd8711 · 2016-01-03T16:26:38.000-05:00
The CHECK_IS_BINARY_UPGRADE macro is not sufficient security protection if we're going to dereference pass-by-reference arguments before it. But in any case we really need to explicitly check PG_ARGISNULL for all the arguments of a non-strict function, not only the ones we expect null values for. Oversight in commits 30982be and f92fc4c. Found by Andreas Seltenreich. (The other usages in pg_upgrade_support.c seem safe.)
diff --git a/src/backend/utils/adt/pg_upgrade_support.c b/src/backend/utils/adt/pg_upgrade_support.c
@@ -129,16 +129,28 @@ binary_upgrade_set_next_pg_authid_oid(PG_FUNCTION_ARGS)
 Datum
 binary_upgrade_create_empty_extension(PG_FUNCTION_ARGS)
 {
-	text	   *extName = PG_GETARG_TEXT_PP(0);
-	text	   *schemaName = PG_GETARG_TEXT_PP(1);
-	bool		relocatable = PG_GETARG_BOOL(2);
-	text	   *extVersion = PG_GETARG_TEXT_PP(3);
+	text	   *extName;
+	text	   *schemaName;
+	bool		relocatable;
+	text	   *extVersion;
 	Datum		extConfig;
 	Datum		extCondition;
 	List	   *requiredExtensions;
 
 	CHECK_IS_BINARY_UPGRADE;
 
+	/* We must check these things before dereferencing the arguments */
+	if (PG_ARGISNULL(0) ||
+		PG_ARGISNULL(1) ||
+		PG_ARGISNULL(2) ||
+		PG_ARGISNULL(3))
+		elog(ERROR, "null argument to binary_upgrade_create_empty_extension is not allowed");
+
+	extName = PG_GETARG_TEXT_PP(0);
+	schemaName = PG_GETARG_TEXT_PP(1);
+	relocatable = PG_GETARG_BOOL(2);
+	extVersion = PG_GETARG_TEXT_PP(3);
+
 	if (PG_ARGISNULL(4))
 		extConfig = PointerGetDatum(NULL);
 	else
