jsonb_plperl, jsonb_plpython: Fix unguarded recursion and loops.

Add check_stack_depth() to Jsonb_to_SV, SV_to_JsonbValue,
PLyObject_FromJsonbContainer, and PLyObject_ToJsonbValue.  Without
this, deeply nested JSONB values can crash the backend with SIGSEGV
instead of raising a proper error.

Also add CHECK_FOR_INTERRUPTS() to the while loop in SV_to_JsonbValue
that dereferences chains of Perl references, so that a circular
reference (e.g. $x = \$x) can be cancelled by the user instead of
spinning indefinitely.  (We looked at detecting such circular
references, but it seems more trouble than it's worth.)

Author: Aleksander Alekseev <aleksander@tigerdata.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/CAJ7c6TPbjkzUk4qJ5dHvDNEz0hBuFue3A-XWz_=897z+BC+z8A@mail.gmail.com
Backpatch-through: 14

diff --git a/contrib/jsonb_plperl/jsonb_plperl.c b/contrib/jsonb_plperl/jsonb_plperl.c
index f8e4a584fddf0f40d2495f062a918a6427f07746..97d147cc65acb990d9787ee959d1294e3cb69621 100644 (file)
--- a/contrib/jsonb_plperl/jsonb_plperl.c
+++ b/contrib/jsonb_plperl/jsonb_plperl.c
@@ -3,6 +3,7 @@
 #include <math.h>
 
 #include "fmgr.h"
+#include "miscadmin.h"
 #include "plperl.h"
 #include "utils/fmgrprotos.h"
 #include "utils/jsonb.h"
@@ -66,6 +67,9 @@ Jsonb_to_SV(JsonbContainer *jsonb)
        JsonbIterator *it;
        JsonbIteratorToken r;
 
+       /* this can recurse via JsonbValue_to_SV() */
+       check_stack_depth();
+
        it = JsonbIteratorInit(jsonb);
        r = JsonbIteratorNext(&it, &v, true);
 
@@ -179,9 +183,20 @@ SV_to_JsonbValue(SV *in, JsonbInState *jsonb_state, bool is_elem)
        dTHX;
        JsonbValue      out;                    /* result */
 
+       /* this can recurse via AV_to_JsonbValue() or HV_to_JsonbValue() */
+       check_stack_depth();
+
        /* Dereference references recursively. */
        while (SvROK(in))
+       {
+               /*
+                * It's possible for circular references to make this an infinite
+                * loop.  Checking for such a situation seems like much more trouble
+                * than it's worth, but let's provide a way to break out of the loop.
+                */
+               CHECK_FOR_INTERRUPTS();
                in = SvRV(in);
+       }
 
        switch (SvTYPE(in))
        {

diff --git a/contrib/jsonb_plpython/jsonb_plpython.c b/contrib/jsonb_plpython/jsonb_plpython.c
index 4de75a04e7669359ac5b9dec09188709a88e3a0b..909612a6039b197e0748ce2dd07d3002957f69de 100644 (file)
--- a/contrib/jsonb_plpython/jsonb_plpython.c
+++ b/contrib/jsonb_plpython/jsonb_plpython.c
@@ -1,5 +1,6 @@
 #include "postgres.h"
 
+#include "miscadmin.h"
 #include "plpy_elog.h"
 #include "plpy_typeio.h"
 #include "plpy_util.h"
@@ -143,6 +144,9 @@ PLyObject_FromJsonbContainer(JsonbContainer *jsonb)
        JsonbIterator *it;
        PyObject   *result;
 
+       /* this can recurse via PLyObject_FromJsonbValue() */
+       check_stack_depth();
+
        it = JsonbIteratorInit(jsonb);
        r = JsonbIteratorNext(&it, &v, true);
 
@@ -410,6 +414,9 @@ PLyObject_ToJsonbValue(PyObject *obj, JsonbInState *jsonb_state, bool is_elem)
 {
        JsonbValue *out;
 
+       /* this can recurse via PLyMapping_ToJsonbValue() */
+       check_stack_depth();
+
        if (!PyUnicode_Check(obj))
        {
                if (PySequence_Check(obj))