Prevent use after free in flatten_join_alias_var_optimizer function

yjhjstz · yjhjstz · commit 6f96bb5d11e6 · 2025-08-09T05:28:01.000+08:00
This patch prevents several use after free bugs present in
flatten_join_alias_var_optimizer. Specifically, the function uses
flatten_join_alias_vars function multiple times, and assumes that the
original node can be freed immediately after. This is not always the case
since under some circumstances flatten_join_alias_vars does not modify its
input and simply passes it through without copying. This patch adds conditions
to check if the original node can safely be freed, preventing use after free.
diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
@@ -5528,35 +5528,41 @@ flatten_join_alias_var_optimizer(Query *query, int queryLevel)
 	if (NIL != targetList)
 	{
 		queryNew->targetList = (List *) flatten_join_alias_vars(queryNew, (Node *) targetList);
-		list_free(targetList);
+		/* We can free the old list only if it was replaced */
+		if (targetList != queryNew->targetList)
+			list_free(targetList);
 	}
 
 	List * returningList = queryNew->returningList;
 	if (NIL != returningList)
 	{
 		queryNew->returningList = (List *) flatten_join_alias_vars(queryNew, (Node *) returningList);
-		list_free(returningList);
+		if (returningList != queryNew->returningList)
+			list_free(returningList);
 	}
 
 	Node *havingQual = queryNew->havingQual;
 	if (NULL != havingQual)
 	{
 		queryNew->havingQual = flatten_join_alias_vars(queryNew, havingQual);
-		pfree(havingQual);
+		if (havingQual != queryNew->havingQual)
+			pfree(havingQual);
 	}
 
 	List *scatterClause = queryNew->scatterClause;
 	if (NIL != scatterClause)
 	{
 		queryNew->scatterClause = (List *) flatten_join_alias_vars(queryNew, (Node *) scatterClause);
-		list_free(scatterClause);
+		if (scatterClause != queryNew->scatterClause)
+			list_free(scatterClause);
 	}
 
 	Node *limitOffset = queryNew->limitOffset;
 	if (NULL != limitOffset)
 	{
 		queryNew->limitOffset = flatten_join_alias_vars(queryNew, limitOffset);
-		pfree(limitOffset);
+		if (limitOffset != queryNew->limitOffset)
+			pfree(limitOffset);
 	}
 
 	List *windowClause = queryNew->windowClause;
@@ -5583,7 +5589,8 @@ flatten_join_alias_var_optimizer(Query *query, int queryLevel)
 	if (NULL != limitCount)
 	{
 		queryNew->limitCount = flatten_join_alias_vars(queryNew, limitCount);
-		pfree(limitCount);
+		if (limitCount != queryNew->limitCount)
+			pfree(limitCount);
 	}
 
     return queryNew;

Original file line number	Diff line number	Diff line change
`@@ -5528,35 +5528,41 @@ flatten_join_alias_var_optimizer(Query *query, int queryLevel)`
`5528`	`5528`	`if (NIL != targetList)`
`5529`	`5529`	`{`
`5530`	`5530`	`queryNew->targetList = (List ) flatten_join_alias_vars(queryNew, (Node ) targetList);`
`5531`		`- list_free(targetList);`
	`5531`	`+ /* We can free the old list only if it was replaced */`
	`5532`	`+ if (targetList != queryNew->targetList)`
	`5533`	`+ list_free(targetList);`
`5532`	`5534`	`}`
`5533`	`5535`
`5534`	`5536`	`List * returningList = queryNew->returningList;`
`5535`	`5537`	`if (NIL != returningList)`
`5536`	`5538`	`{`
`5537`	`5539`	`queryNew->returningList = (List ) flatten_join_alias_vars(queryNew, (Node ) returningList);`
`5538`		`- list_free(returningList);`
	`5540`	`+ if (returningList != queryNew->returningList)`
	`5541`	`+ list_free(returningList);`
`5539`	`5542`	`}`
`5540`	`5543`
`5541`	`5544`	`Node *havingQual = queryNew->havingQual;`
`5542`	`5545`	`if (NULL != havingQual)`
`5543`	`5546`	`{`
`5544`	`5547`	`queryNew->havingQual = flatten_join_alias_vars(queryNew, havingQual);`
`5545`		`- pfree(havingQual);`
	`5548`	`+ if (havingQual != queryNew->havingQual)`
	`5549`	`+ pfree(havingQual);`
`5546`	`5550`	`}`
`5547`	`5551`
`5548`	`5552`	`List *scatterClause = queryNew->scatterClause;`
`5549`	`5553`	`if (NIL != scatterClause)`
`5550`	`5554`	`{`
`5551`	`5555`	`queryNew->scatterClause = (List ) flatten_join_alias_vars(queryNew, (Node ) scatterClause);`
`5552`		`- list_free(scatterClause);`
	`5556`	`+ if (scatterClause != queryNew->scatterClause)`
	`5557`	`+ list_free(scatterClause);`
`5553`	`5558`	`}`
`5554`	`5559`
`5555`	`5560`	`Node *limitOffset = queryNew->limitOffset;`
`5556`	`5561`	`if (NULL != limitOffset)`
`5557`	`5562`	`{`
`5558`	`5563`	`queryNew->limitOffset = flatten_join_alias_vars(queryNew, limitOffset);`
`5559`		`- pfree(limitOffset);`
	`5564`	`+ if (limitOffset != queryNew->limitOffset)`
	`5565`	`+ pfree(limitOffset);`
`5560`	`5566`	`}`
`5561`	`5567`
`5562`	`5568`	`List *windowClause = queryNew->windowClause;`
`@@ -5583,7 +5589,8 @@ flatten_join_alias_var_optimizer(Query *query, int queryLevel)`
`5583`	`5589`	`if (NULL != limitCount)`
`5584`	`5590`	`{`
`5585`	`5591`	`queryNew->limitCount = flatten_join_alias_vars(queryNew, limitCount);`
`5586`		`- pfree(limitCount);`
	`5592`	`+ if (limitCount != queryNew->limitCount)`
	`5593`	`+ pfree(limitCount);`
`5587`	`5594`	`}`
`5588`	`5595`
`5589`	`5596`	`return queryNew;`