From: Amit Langote <amitlan@postgresql.org>
Date: Tue, 31 Mar 2026 08:04:44 +0000 (+0900)
Subject: Fix use-after-free in ri_LoadConstraintInfo
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=68a8601ee9ec7285b5a3839e17360c0a9d0e52a3;p=thirdparty%2Fpostgresql.git

Fix use-after-free in ri_LoadConstraintInfo

conindid was read from conForm after ReleaseSysCache(tup).  Move
the read to before the release.

Introduced by commit 2da86c1ef9b5.

Per buildfarm member prion.

Discussion: https://postgr.es/m/CA+HiwqGGYjN6F2oL7yAk=hvSs-sj3TPqZ9JC9iyLkCqJadECrw@mail.gmail.com
---

diff --git a/src/backend/utils/adt/ri_triggers.c b/src/backend/utils/adt/ri_triggers.c
index da7640a8005..ffaa0e749cb 100644
--- a/src/backend/utils/adt/ri_triggers.c
+++ b/src/backend/utils/adt/ri_triggers.c
@@ -2396,6 +2396,11 @@ ri_LoadConstraintInfo(Oid constraintOid)
 						  &riinfo->period_intersect_oper);
 	}
 
+	/* Metadata used by fast path. */
+	riinfo->conindid = conForm->conindid;
+	riinfo->pk_is_partitioned =
+		(get_rel_relkind(riinfo->pk_relid) == RELKIND_PARTITIONED_TABLE);
+
 	ReleaseSysCache(tup);
 
 	/*
@@ -2406,10 +2411,6 @@ ri_LoadConstraintInfo(Oid constraintOid)
 
 	riinfo->valid = true;
 
-	riinfo->conindid = conForm->conindid;
-	riinfo->pk_is_partitioned =
-		(get_rel_relkind(riinfo->pk_relid) == RELKIND_PARTITIONED_TABLE);
-
 	riinfo->fpmeta = NULL;
 
 	return riinfo;