From 517b72a9d5e3451e7180b1e889bbd0ea49b5a37a Mon Sep 17 00:00:00 2001
From: Onur Tirtir <onurcantirtir@gmail.com>
Date: Mon, 10 Oct 2022 16:38:21 +0300
Subject: [PATCH] Fix use-after-free in GetAlterTriggerStateCommand() (#6413)

Fix use-after-free in GetAlterTriggerStateCommand() introduced in #6398.
---
 src/backend/distributed/commands/trigger.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/backend/distributed/commands/trigger.c b/src/backend/distributed/commands/trigger.c
index 6f46cf0dc..5d3b92f04 100644
--- a/src/backend/distributed/commands/trigger.c
+++ b/src/backend/distributed/commands/trigger.c
@@ -139,8 +139,6 @@ GetAlterTriggerStateCommand(Oid triggerId)
 	const char *quotedTrigName = quote_identifier(NameStr(triggerForm->tgname));
 	char enableDisableState = triggerForm->tgenabled;
 
-	heap_freetuple(triggerTuple);
-
 	const char *alterTriggerStateStr = NULL;
 	switch (enableDisableState)
 	{
@@ -178,6 +176,13 @@ GetAlterTriggerStateCommand(Oid triggerId)
 	appendStringInfo(alterTriggerStateCommand, "ALTER TABLE %s %s TRIGGER %s;",
 					 qualifiedRelName, alterTriggerStateStr, quotedTrigName);
 
+	/*
+	 * Free triggerTuple at the end since quote_identifier() might not return
+	 * a palloc'd string if given identifier doesn't need to be quoted, and in
+	 * that case quotedTrigName would still be bound to triggerTuple.
+	 */
+	heap_freetuple(triggerTuple);
+
 	return alterTriggerStateCommand->data;
 }