• Andrew Gierth's avatar
    Repair double-free in SP-GIST rescan (bug #15378) · 500d4979
    Andrew Gierth authored
    spgrescan would first reset traversalCxt, and then traverse a
    potentially non-empty stack containing pointers to traversalValues
    which had been allocated in those contexts, freeing them a second
    time. This bug originates in commit ccd6eb49 where traversalValue was
    introduced.
    
    Repair by traversing the stack before the context reset; this isn't
    ideal, since it means doing retail pfree in a context that's about to
    be reset, but the freeing of a stack entry is also done in other
    places in the code during the scan so it's not worth trying to
    refactor it further. Regression test added.
    
    Backpatch to 9.6 where the problem was introduced.
    
    Per bug #15378; analysis and patch by me, originally from a report on
    IRC by user velix; see also PostGIS ticket #4174; review by Alexander
    Korotkov.
    
    Discussion: https://postgr.es/m/153663176628.23136.11901365223750051490@wrigleys.postgresql.org
    500d4979
spgscan.c 17.4 KB