Hello, a static analyzer pointed out a possible NULL dereference at the end of
json_errdetail() (src/common/jsonapi.c):
return lex->errormsg->data;
That seemed plausible to me, since there is a comment just above saying that
lex->errormsg can be NULL in shlib code. I also checked PQExpBufferBroken(),
and it does handle NULL, but that call is under #ifdef, while the final access
to lex->errormsg->data is unconditional.
I may be missing some invariant here, but it seems worth adding an explicit
NULL check. I prepared a corresponding patch and am attaching it below in case
you agree that this is a real issue.
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 1145d93945f..192040b5443 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -2525,6 +2525,9 @@ json_errdetail(JsonParseErrorType error, JsonLexContext
*lex)
if (PQExpBufferBroken(lex->errormsg))
return _("out of memory while constructing error description");
#endif
+
+ if (!lex->errormsg)
+ return _("out of memory while constructing error description");
return lex->errormsg->data;
}
Best regards, Galkin Sergey
From eefe51e74a89e05a21a0718cbf007a5add45dfc6 Mon Sep 17 00:00:00 2001
From: Sergey <[email protected]>
Date: Fri, 3 Apr 2026 19:54:18 +0300
Subject: [PATCH] Added an additional check when dereferencing a pointer
---
src/common/jsonapi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
index 1145d93945f..192040b5443 100644
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@@ -2525,6 +2525,9 @@ json_errdetail(JsonParseErrorType error, JsonLexContext *lex)
if (PQExpBufferBroken(lex->errormsg))
return _("out of memory while constructing error description");
#endif
+
+ if (!lex->errormsg)
+ return _("out of memory while constructing error description");
return lex->errormsg->data;
}
--
2.43.0
