From da82fbb8f9a3b1e46b55d5975ef59113cd3a59a6 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Wed, 17 Jun 2026 11:04:41 -0400 Subject: [PATCH] jsonb_plperl, jsonb_plpython: Fix unguarded recursion and loops. Add check_stack_depth() to Jsonb_to_SV, SV_to_JsonbValue, PLyObject_FromJsonbContainer, and PLyObject_ToJsonbValue. Without this, deeply nested JSONB values can crash the backend with SIGSEGV instead of raising a proper error. Also add CHECK_FOR_INTERRUPTS() to the while loop in SV_to_JsonbValue that dereferences chains of Perl references, so that a circular reference (e.g. $x = \$x) can be cancelled by the user instead of spinning indefinitely. (We looked at detecting such circular references, but it seems more trouble than it's worth.) Author: Aleksander Alekseev Reviewed-by: Tom Lane Discussion: https://postgr.es/m/CAJ7c6TPbjkzUk4qJ5dHvDNEz0hBuFue3A-XWz_=897z+BC+z8A@mail.gmail.com Backpatch-through: 14 --- contrib/jsonb_plperl/jsonb_plperl.c | 15 +++++++++++++++ contrib/jsonb_plpython/jsonb_plpython.c | 7 +++++++ 2 files changed, 22 insertions(+) diff --git a/contrib/jsonb_plperl/jsonb_plperl.c b/contrib/jsonb_plperl/jsonb_plperl.c index f8e4a584fdd..97d147cc65a 100644 --- a/contrib/jsonb_plperl/jsonb_plperl.c +++ b/contrib/jsonb_plperl/jsonb_plperl.c @@ -3,6 +3,7 @@ #include #include "fmgr.h" +#include "miscadmin.h" #include "plperl.h" #include "utils/fmgrprotos.h" #include "utils/jsonb.h" @@ -66,6 +67,9 @@ Jsonb_to_SV(JsonbContainer *jsonb) JsonbIterator *it; JsonbIteratorToken r; + /* this can recurse via JsonbValue_to_SV() */ + check_stack_depth(); + it = JsonbIteratorInit(jsonb); r = JsonbIteratorNext(&it, &v, true); @@ -179,9 +183,20 @@ SV_to_JsonbValue(SV *in, JsonbInState *jsonb_state, bool is_elem) dTHX; JsonbValue out; /* result */ + /* this can recurse via AV_to_JsonbValue() or HV_to_JsonbValue() */ + check_stack_depth(); + /* Dereference references recursively. */ while (SvROK(in)) + { + /* + * It's possible for circular references to make this an infinite + * loop. Checking for such a situation seems like much more trouble + * than it's worth, but let's provide a way to break out of the loop. + */ + CHECK_FOR_INTERRUPTS(); in = SvRV(in); + } switch (SvTYPE(in)) { diff --git a/contrib/jsonb_plpython/jsonb_plpython.c b/contrib/jsonb_plpython/jsonb_plpython.c index 4de75a04e76..909612a6039 100644 --- a/contrib/jsonb_plpython/jsonb_plpython.c +++ b/contrib/jsonb_plpython/jsonb_plpython.c @@ -1,5 +1,6 @@ #include "postgres.h" +#include "miscadmin.h" #include "plpy_elog.h" #include "plpy_typeio.h" #include "plpy_util.h" @@ -143,6 +144,9 @@ PLyObject_FromJsonbContainer(JsonbContainer *jsonb) JsonbIterator *it; PyObject *result; + /* this can recurse via PLyObject_FromJsonbValue() */ + check_stack_depth(); + it = JsonbIteratorInit(jsonb); r = JsonbIteratorNext(&it, &v, true); @@ -410,6 +414,9 @@ PLyObject_ToJsonbValue(PyObject *obj, JsonbInState *jsonb_state, bool is_elem) { JsonbValue *out; + /* this can recurse via PLyMapping_ToJsonbValue() */ + check_stack_depth(); + if (!PyUnicode_Check(obj)) { if (PySequence_Check(obj)) -- 2.47.3