Fix out-of-memory handling in ecpglib.

ecpg_build_params() would crash on a null pointer dereference if realloc() failed, due to updating the persistent "stmt" struct too aggressively. (Even without the crash, this would've leaked the old storage that we were trying to realloc.) Per Coverity. This seems to have been broken in commit 0cc05079, so back-patch into v12.

Fix out-of-memory handling in ecpglib.
ecpg_build_params() would crash on a null pointer dereference if realloc() failed, due to updating the persistent "stmt" struct too aggressively. (Even without the crash, this would've leaked the old storage that we were trying to realloc.) Per Coverity. This seems to have been broken in commit 0cc05079, so back-patch into v12.
44f1fc8d · Tom Lane · 9c679a08 · 44f1fc8d
Commit 44f1fc8d authored Jan 19, 2020 by Tom Lane
Show whitespace changes
Inline Side-by-side

Showing with 24 additions and 13 deletions

src/interfaces/ecpg/ecpglib/execute.c src/interfaces/ecpg/ecpglib/execute.c +24 -13

No files found.
--- a/src/interfaces/ecpg/ecpglib/execute.c
+++ b/src/interfaces/ecpg/ecpglib/execute.c
@@ -1499,26 +1499,37 @@ ecpg_build_params(struct statement *stmt)
 		}
 		else
 		{
-			if (!(stmt->paramvalues = (char **) ecpg_realloc(stmt->paramvalues, sizeof(char *) * (stmt->nparams + 1), stmt->lineno)))
+			bool		realloc_failed = false;
+			char	  **newparamvalues;
+			int		   *newparamlengths;
+			int		   *newparamformats;
+
+			/* enlarge all the param arrays */
+			if ((newparamvalues = (char **) ecpg_realloc(stmt->paramvalues, sizeof(char *) * (stmt->nparams + 1), stmt->lineno)))
+				stmt->paramvalues = newparamvalues;
+			else
+				realloc_failed = true;
+
+			if ((newparamlengths = (int *) ecpg_realloc(stmt->paramlengths, sizeof(int) * (stmt->nparams + 1), stmt->lineno)))
+				stmt->paramlengths = newparamlengths;
+			else
+				realloc_failed = true;
+
+			if ((newparamformats = (int *) ecpg_realloc(stmt->paramformats, sizeof(int) * (stmt->nparams + 1), stmt->lineno)))
+				stmt->paramformats = newparamformats;
+			else
+				realloc_failed = true;
+
+			if (realloc_failed)
 			{
 				ecpg_free_params(stmt, false);
 				ecpg_free(tobeinserted);
 				return false;
 			}
-			stmt->paramvalues[stmt->nparams] = tobeinserted;

-			if (!(stmt->paramlengths = (int *) ecpg_realloc(stmt->paramlengths, sizeof(int) * (stmt->nparams + 1), stmt->lineno)))
-			{
-				ecpg_free_params(stmt, false);
-				return false;
-			}
+			/* only now can we assign ownership of "tobeinserted" to stmt */
+			stmt->paramvalues[stmt->nparams] = tobeinserted;
 			stmt->paramlengths[stmt->nparams] = binary_length;
-
-			if (!(stmt->paramformats = (int *) ecpg_realloc(stmt->paramformats, sizeof(int) * (stmt->nparams + 1), stmt->lineno)))
-			{
-				ecpg_free_params(stmt, false);
-				return false;
-			}
 			stmt->paramformats[stmt->nparams] = (binary_format ? 1 : 0);
 			stmt->nparams++;