hstore: Fix NULL pointer dereference with receive function

The receive function of hstore was not able to handle correctly
duplicate key values when a new duplicate links to a NULL value, where a
pfree() could be attempted on a NULL pointer, crashing due to a pointer
dereference.

This problem would happen for a COPY BINARY, when stacking values like
that:
aa => 5
aa => null

The second key/value pair is discarded and pfree() calls are attempted
on its key and its value, leading to a pointer dereference for the value
part as the value is NULL.  The first key/value pair takes priority when
a duplicate is found.

Per offline report.

Reported-by: "Anemone" <vergissmeinnichtzh@gmail.com>
Reported-by: "A1ex" <alex000young@gmail.com>
Backpatch-through: 14

diff --git a/contrib/hstore/hstore_io.c b/contrib/hstore/hstore_io.c
index 9cdfcb5daa0ce95ff5a591d78b9a9d78fb7fdefe..9b72efb8674a784de77746d2893d9598216663ec 100644 (file)
--- a/contrib/hstore/hstore_io.c
+++ b/contrib/hstore/hstore_io.c
@@ -385,7 +385,8 @@ hstoreUniquePairs(Pairs *a, int32 l, int32 *buflen)
                        if (ptr->needfree)
                        {
                                pfree(ptr->key);
-                               pfree(ptr->val);
+                               if (ptr->val != NULL)
+                                       pfree(ptr->val);
                        }
                }
                else