From 0e6127c4f60b26da18ac8df48d2b6a8de5ed9d4c Mon Sep 17 00:00:00 2001 From: manaldush Date: Fri, 4 Apr 2025 16:27:56 +0300 Subject: [PATCH] AddressSanitizer: stack-use-after-scope on distributed_planner:HasUnresolvedExternParamsWalker (#7948) Var externParamPlaceholder is created on stack, and its address is used for paramFetch. Postgres code return address of externParamPlaceholder var to externParam, then code flow go out of scope and dereference pointer on stack out of scope. Fixes https://github.com/citusdata/citus/issues/7941. --------- Co-authored-by: Onur Tirtir --- src/backend/distributed/planner/distributed_planner.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/backend/distributed/planner/distributed_planner.c b/src/backend/distributed/planner/distributed_planner.c index ac7754cb9..7f8f827ea 100644 --- a/src/backend/distributed/planner/distributed_planner.c +++ b/src/backend/distributed/planner/distributed_planner.c @@ -2549,21 +2549,20 @@ HasUnresolvedExternParamsWalker(Node *expression, ParamListInfo boundParams) /* check whether parameter is available (and valid) */ if (boundParams && paramId > 0 && paramId <= boundParams->numParams) { - ParamExternData *externParam = NULL; + Oid paramType = InvalidOid; /* give hook a chance in case parameter is dynamic */ if (boundParams->paramFetch != NULL) { ParamExternData externParamPlaceholder; - externParam = (*boundParams->paramFetch)(boundParams, paramId, false, - &externParamPlaceholder); + paramType = (*boundParams->paramFetch)(boundParams, paramId, false, + &externParamPlaceholder)->ptype; } else { - externParam = &boundParams->params[paramId - 1]; + paramType = boundParams->params[paramId - 1].ptype; } - Oid paramType = externParam->ptype; if (OidIsValid(paramType)) { return false;