Fix use-after-free bug with event triggers and ALTER TABLE.

EventTriggerAlterTableEnd neglected to make sure that it built its
output list in the right context.  In simple cases this was masked
because the function is called in PortalContext which will be
sufficiently long-lived anyway; but that doesn't make it not a bug.
Commit ced138e8c fixed this in HEAD and v13, but mistakenly chose
not to back-patch further.  Back-patch the same code change all
the way (I didn't bother with the test case though, as it would
prove nothing in pre-v13 branches).

Per report from Arseny Sher.
Original fix by Jehan-Guillaume de Rorthais.

Discussion: https://postgr.es/m/877drcyprb.fsf@ars-thinkpad
Discussion: https://postgr.es/m/20200902193715.6e0269d4@firost

diff --git a/src/backend/commands/event_trigger.c b/src/backend/commands/event_trigger.c
index 9a702e4097ee28b58d5727febc01d70047ced6af..b02b35868fa7e6786d182db50d0e0257ed9cce35 100644 (file)
--- a/src/backend/commands/event_trigger.c
+++ b/src/backend/commands/event_trigger.c
@@ -1799,9 +1799,15 @@ EventTriggerAlterTableEnd(void)
        /* If no subcommands, don't collect */
        if (list_length(currentEventTriggerState->currentCommand->d.alterTable.subcmds) != 0)
        {
+               MemoryContext oldcxt;
+
+               oldcxt = MemoryContextSwitchTo(currentEventTriggerState->cxt);
+
                currentEventTriggerState->commandList =
                        lappend(currentEventTriggerState->commandList,
                                        currentEventTriggerState->currentCommand);
+
+               MemoryContextSwitchTo(oldcxt);
        }
        else
                pfree(currentEventTriggerState->currentCommand);