hstore: Fix NULL pointer dereference with receive function

michaelpq · hs-liuxh · commit 70d65bc90488 · 2026-03-13T18:13:28.000+08:00
The receive function of hstore was not able to handle correctly
duplicate key values when a new duplicate links to a NULL value, where a
pfree() could be attempted on a NULL pointer, crashing due to a pointer
dereference.

This problem would happen for a COPY BINARY, when stacking values like
that:
aa =&gt; 5
aa =&gt; null

The second key/value pair is discarded and pfree() calls are attempted
on its key and its value, leading to a pointer dereference for the value
part as the value is NULL.  The first key/value pair takes priority when
a duplicate is found.

Per offline report.

Reported-by: "Anemone" &lt;vergissmeinnichtzh@gmail.com&gt;
Reported-by: "A1ex" &lt;alex000young@gmail.com&gt;
Backpatch-through: 14
diff --git a/contrib/hstore/hstore_io.c b/contrib/hstore/hstore_io.c
@@ -346,7 +346,8 @@ hstoreUniquePairs(Pairs *a, int32 l, int32 *buflen)
 			if (ptr->needfree)
 			{
 				pfree(ptr->key);
-				pfree(ptr->val);
+				if (ptr->val != NULL)
+					pfree(ptr->val);
 			}
 		}
 		else

Original file line number	Diff line number	Diff line change
`@@ -346,7 +346,8 @@ hstoreUniquePairs(Pairs a, int32 l, int32 buflen)`
`346`	`346`	`if (ptr->needfree)`
`347`	`347`	`{`
`348`	`348`	`pfree(ptr->key);`
`349`		`- pfree(ptr->val);`
	`349`	`+ if (ptr->val != NULL)`
	`350`	`+ pfree(ptr->val);`
`350`	`351`	`}`
`351`	`352`	`}`
`352`	`353`	`else`