Guard against null arguments in binary_upgrade_create_empty_extension().

The CHECK_IS_BINARY_UPGRADE macro is not sufficient security protection
if we're going to dereference pass-by-reference arguments before it.

But in any case we really need to explicitly check PG_ARGISNULL for all
the arguments of a non-strict function, not only the ones we expect null
values for.

Oversight in commits 30982be4e5019684e1772dd9170aaa53f5a8e894 and
f92fc4c95ddcc25978354a8248d3df22269201bc.  Found by Andreas Seltenreich.
(The other usages in pg_upgrade_support.c seem safe.)

diff --git a/src/backend/utils/adt/pg_upgrade_support.c b/src/backend/utils/adt/pg_upgrade_support.c
index b5c732bfca29947ab4053ef54aa0e629f05d8915..912eadaf369a4a1ac8dd11b8341aa258d472347d 100644 (file)
--- a/src/backend/utils/adt/pg_upgrade_support.c
+++ b/src/backend/utils/adt/pg_upgrade_support.c
@@ -129,16 +129,28 @@ binary_upgrade_set_next_pg_authid_oid(PG_FUNCTION_ARGS)
 Datum
 binary_upgrade_create_empty_extension(PG_FUNCTION_ARGS)
 {
-   text       *extName = PG_GETARG_TEXT_PP(0);
-   text       *schemaName = PG_GETARG_TEXT_PP(1);
-   bool        relocatable = PG_GETARG_BOOL(2);
-   text       *extVersion = PG_GETARG_TEXT_PP(3);
+   text       *extName;
+   text       *schemaName;
+   bool        relocatable;
+   text       *extVersion;
    Datum       extConfig;
    Datum       extCondition;
    List       *requiredExtensions;
 
    CHECK_IS_BINARY_UPGRADE;
 
+   /* We must check these things before dereferencing the arguments */
+   if (PG_ARGISNULL(0) ||
+       PG_ARGISNULL(1) ||
+       PG_ARGISNULL(2) ||
+       PG_ARGISNULL(3))
+       elog(ERROR, "null argument to binary_upgrade_create_empty_extension is not allowed");
+
+   extName = PG_GETARG_TEXT_PP(0);
+   schemaName = PG_GETARG_TEXT_PP(1);
+   relocatable = PG_GETARG_BOOL(2);
+   extVersion = PG_GETARG_TEXT_PP(3);
+
    if (PG_ARGISNULL(4))
        extConfig = PointerGetDatum(NULL);
    else