Fix obscure segfault condition in PL/Python

In PLy_output(), when the elog() call in the TRY branch throws an exception
(this can happen when a statement timeout kicks in, for example), the
PyErr_SetString() call in the CATCH branch can cause a segfault, because the
Py_XDECREF(so) call before it releases memory that is still used by the sv
variable that PyErr_SetString() uses as argument, because sv points into
memory owned by so.

Backpatched back to 8.0, where this code was introduced.

I also threw in a couple of volatile declarations for variables that are used
before and after the TRY.  I don't think they caused the crash that I
observed, but they could become issues.

diff --git a/src/pl/plpython/plpython.c b/src/pl/plpython/plpython.c
index 98b7dfbc3b31160dfe9df08cff61931a9efff2c0..53c298bae533c208ea6eb14200e32f15fdb240f8 100644 (file)
--- a/src/pl/plpython/plpython.c
+++ b/src/pl/plpython/plpython.c
@@ -29,7 +29,7 @@
  * MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
  *
  * IDENTIFICATION
- *     $PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.66.2.6 2008/07/28 18:45:05 tgl Exp $
+ *     $PostgreSQL: pgsql/src/pl/plpython/plpython.c,v 1.66.2.7 2009/11/03 08:12:46 petere Exp $
  *
  *********************************************************************
  */
@@ -2410,9 +2410,9 @@ PLy_fatal(PyObject * self, PyObject * args)
 static PyObject *
 PLy_output(volatile int level, PyObject * self, PyObject * args)
 {
-       PyObject   *so;
+       PyObject   *volatile so;
        char       *volatile sv;
-       MemoryContext oldcontext;
+       volatile MemoryContext oldcontext;
 
        so = PyObject_Str(args);
        if ((so == NULL) || ((sv = PyString_AsString(so)) == NULL))
@@ -2431,6 +2431,10 @@ PLy_output(volatile int level, PyObject * self, PyObject * args)
                MemoryContextSwitchTo(oldcontext);
                PLy_error_in_progress = CopyErrorData();
                FlushErrorState();
+
+               PyErr_SetString(PLy_exc_error, sv);
+               /* Note: If sv came from PyString_AsString(), it points into
+                * storage owned by so.  So free so after using sv. */
                Py_XDECREF(so);
 
                /*
@@ -2438,7 +2442,6 @@ PLy_output(volatile int level, PyObject * self, PyObject * args)
                 * control passes back to PLy_procedure_call, we check for PG
                 * exceptions and re-throw the error.
                 */
-               PyErr_SetString(PLy_exc_error, sv);
                return NULL;
        }
        PG_END_TRY();