Avoid platform-specific null pointer dereference in psql.

POSIX permits getopt() to advance optind beyond argc when the last
argv entry is an option that requires an argument and hasn't got one.
It seems that no major platforms actually do that, but musl does,
so that something like "psql -f" would crash with that libc.
Add a check that optind is in range before trying to look at the
possibly-bogus option.

Report and fix by Quentin Rameau.  Back-patch to all supported
branches.

Discussion: https://postgr.es/m/20190825100617.GA6087@fifth.space

diff --git a/src/bin/psql/startup.c b/src/bin/psql/startup.c
index 0c090d15c2e851dcabd9c15aee19a4b751aa58e8..142ec76e10fb7c3a1323fa478f752185e6b852d8 100644 (file)
--- a/src/bin/psql/startup.c
+++ b/src/bin/psql/startup.c
@@ -571,15 +571,18 @@ parse_psql_options(int argc, char *argv[], struct adhoc_opts * options)
                                options->single_txn = true;
                                break;
                        case '?':
-                               /* Actual help option given */
-                               if (strcmp(argv[optind - 1], "-?") == 0)
+                               if (optind <= argc &&
+                                       strcmp(argv[optind - 1], "-?") == 0)
                                {
+                                       /* actual help option given */
                                        usage(NOPAGER);
                                        exit(EXIT_SUCCESS);
                                }
-                               /* unknown option reported by getopt */
                                else
+                               {
+                                       /* getopt error (unknown option or missing argument) */
                                        goto unknown_option;
+                               }
                                break;
                        case 1:
                                {