Hi,
On Sun, Jan 30, 2022 at 10:47:18AM +0800, wliang@stu.xidian.edu.cn wrote:
>
> I find a potential bug caused by a improper call to pfree in PostgresSQL 14.1, which is in
backend/utils/adt/jsonb_gin.c
>
> Specifically, at line 1116, the pointer 'stack' is assigned with the address of a local variable 'tail'.
> At line 1163, pfree() is called to free 'stack'. However, pfree is designed to free the memory in heap rather than
stack.
>
> 1158 case WJB_END_ARRAY:
> 1159 case WJB_END_OBJECT:
> 1160 /* Pop the stack */
> 1161 parent = stack->parent;
> 1162 pfree(stack);
>
> I think it may be a potential bug and can be fixed without any side-effect as:
>
>
> ++ if (stack != &tail)
> 1162 pfree(stack);
I don't think it's necessary, it should be guaranteed that something as been
pushed on the tail, ie. there shouldn't be a WJB_END_* before a corresponding
begin.
Note that the tail also can't have a parent, so even if that scenario could
happen, it would crash in the previous instruction anyway, trying to
dereference a NULL pointer.