Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments

I wrote:
> I filed a new report at
> https://gitlab.gnome.org/GNOME/libxml2/-/issues/799

Based on Nick Wellnhofer's response there, I've experimented with the
attached WIP patch, and it does seem to prevent the problem as long as
you have a non-ancient libxml2.  This is only WIP because there are
other xmlXPathCompile calls we'd have to fix.

Sadly, still-popular distros like RHEL8 have "ancient" libxml2
versions, but that means they're exposed to the original bug not
only this variant.  It seems to me to be worth masking the bug
where we can, though.

Nick also suggested that we not bother with a separate xmlXPathCompile
call if we're just going to throw away the compiled expression after
one use.  Perhaps that's good cleanup, not sure.  I don't know if
anyone has serious ambitions of re-using the compiled XPath
expressions.

            regards, tom lane

diff --git a/src/backend/utils/adt/xml.c b/src/backend/utils/adt/xml.c
index 1a07876cd5..37e0cabe60 100644
--- a/src/backend/utils/adt/xml.c
+++ b/src/backend/utils/adt/xml.c
@@ -4448,7 +4448,7 @@ xpath_internal(text *xpath_expr_text, xmltype *data, ArrayType *namespaces,
             }
         }

-        xpathcomp = xmlXPathCompile(xpath_expr);
+        xpathcomp = xmlXPathCtxtCompile(xpathctx, xpath_expr);
         if (xpathcomp == NULL || xmlerrcxt->err_occurred)
             xml_ereport(xmlerrcxt, ERROR, ERRCODE_INTERNAL_ERROR,
                         "invalid XPath expression");