Fix crash in tsql_row_to_xml_path function (babelfish-for-postgresql#4661)

rohit01010 · rohit01010 · commit 9c2265beb9e3 · 2026-03-19T04:22:06.000Z
Fixed a crash in tsql_row_to_xml_path function that occurred when processing FOR XML PATH queries with all-null column values. The crash was caused by unsafe string buffer manipulation when converting null elements to self-closing XML tags without proper bounds checking.

This fix reorganizes the null-handling logic to prevent buffer underflow.

Task: BABEL-5364

Authored-by: Rohit Bhagat rohitbgt@amazon.com
diff --git a/contrib/babelfishpg_tsql/src/tsql_for/forxml.c b/contrib/babelfishpg_tsql/src/tsql_for/forxml.c
@@ -143,6 +143,10 @@ tsql_query_to_xml_text_ffunc(PG_FUNCTION_ARGS)
 {
 	StringInfo	res = for_xml_ffunc(fcinfo);
 
+	/* return NULL if empty result (i.e. no rows) */
+	if (res->len == 0)
+		PG_RETURN_NULL();
+
 	PG_RETURN_TEXT_P(cstring_to_text_with_len(res->data, res->len));
 }
 
@@ -313,7 +317,7 @@ validate_attribute_centric_col_names_xml(const char *element_name, TupleDesc tup
 			seen_non_att_centric = true;
 	}
 
-	if(seen_att_centric && element_name[0] == '\0')
+	if(seen_att_centric && (element_name && strlen(element_name) == 0))
 	{
 		ereport(ERROR,
 				(errcode(ERRCODE_INVALID_XML_PROCESSING_INSTRUCTION),
@@ -331,14 +335,15 @@ static void
 tsql_row_to_xml_path(StringInfo state, Datum record, const char *element_name, bool binary_base64, bool xsinil)
 {
 	HeapTupleHeader td;
-	Oid			tupType;
-	int32		tupTypmod;
-	TupleDesc	tupdesc;
-	HeapTupleData tmptup;
-	HeapTuple	tuple;
-	bool		allnull = true;
-	bool		has_att_centric = false;
-	bool		first = true;
+	Oid             tupType;
+	int32           tupTypmod;
+	TupleDesc       tupdesc;
+	HeapTupleData   tmptup;
+	HeapTuple       tuple;
+	bool            allnull = true;
+	bool            has_att_centric = false;
+	bool            first = true;
+	int             inital_state_len = state->len;
 
 	td = DatumGetHeapTupleHeader(record);
 
@@ -358,7 +363,7 @@ tsql_row_to_xml_path(StringInfo state, Datum record, const char *element_name, b
 	 * each tuple is either contained in a "row" tag, or standalone if the
 	 * element_name is an empty string
 	 */
-	if (element_name[0] != '\0')
+	if (element_name && strlen(element_name) > 0)
 	{
 		/* if "''" is the input path, ignore it per TSQL behavior */
 		if (has_att_centric)
@@ -420,7 +425,7 @@ tsql_row_to_xml_path(StringInfo state, Datum record, const char *element_name, b
 				else
 				{
 					/* When PATH('') is used with XSINIL, add xmlns to each element */
-					if (element_name[0] == '\0' && xsinil)
+					if ((element_name && strlen(element_name) == 0) && xsinil)
 						appendStringInfo(state, "<%s " XML_XMLNS_XSI ">%s</%s>",
 										 colname,
 										 map_sql_value_to_xml_value(colval, datatype_oid, true),
@@ -453,7 +458,7 @@ tsql_row_to_xml_path(StringInfo state, Datum record, const char *element_name, b
 				if (strncmp(NameStr(att->attname), "?column?", 8) != 0)
 				{
 					/* When PATH('') is used with XSINIL, add xmlns to each element */
-					if (element_name[0] == '\0')
+					if (element_name && strlen(element_name) == 0)
 						appendStringInfo(state, "<%s " XML_XMLNS_XSI " " XML_XSI_NIL "/>", colname);
 					else
 						appendStringInfo(state, "<%s " XML_XSI_NIL "/>", colname);
@@ -462,24 +467,32 @@ tsql_row_to_xml_path(StringInfo state, Datum record, const char *element_name, b
 		}
 	}
 
-	if (allnull)
-	{
-		/*
-		 * If all the column values are nulls, this element should be
-		 * <element_name/>, modify the already appended <element_name> to
-		 * <element_name/>.
-		 */
-		state->data[state->len - 1] = '/';
-		appendStringInfoString(state, ">");
-	}
-	else if (element_name[0] != '\0')
+	if (element_name && strlen(element_name) > 0)
 	{
 		if (has_att_centric && first)
 		{
 			appendStringInfoString(state, "/>");
 		}
 		else
-			appendStringInfo(state, "</%s>", element_name);
+		{
+			if (allnull)
+			{
+				/*
+				 * At this point, state = <output from previous rows> + '<element_name>'
+				 * 
+				 * If all the column values are nulls, this element should be
+				 * <element_name/>, modify the already appended <element_name> to
+				 * <element_name/>.
+				 */
+				if (state->len > inital_state_len)	// sanity check, should always be true
+				{
+					state->data[state->len - 1] = '/';
+					appendStringInfoString(state, ">");
+				}
+			}
+			else
+				appendStringInfo(state, "</%s>", element_name);
+		}
 	}
 	ReleaseTupleDesc(tupdesc);
 }
diff --git a/test/JDBC/expected/forxml-path-vu-cleanup.out b/test/JDBC/expected/forxml-path-vu-cleanup.out
@@ -10,5 +10,8 @@ DROP VIEW for_xml_path_v3
 DROP VIEW for_xml_path_v4
 GO
 
+DROP TABLE for_xml_path_all_null
+GO
+
 DROP TABLE for_xml_path
 GO
diff --git a/test/JDBC/expected/forxml-path-vu-prepare.out b/test/JDBC/expected/forxml-path-vu-prepare.out
@@ -6,6 +6,20 @@ GO
 ~~ROW COUNT: 9~~
 
 
+CREATE TABLE for_xml_path_all_null (col1 INT NULL);
+GO
+
+SET NOCOUNT ON
+GO
+
+DECLARE @i INT = 1; 
+WHILE @i <= 2048 
+BEGIN
+    INSERT INTO for_xml_path_all_null VALUES (NULL);
+    SET @i = @i + 1;
+END
+GO
+
 CREATE VIEW for_xml_path_v1 AS SELECT String as param1, hello.String as [@param2] FROM for_xml_path hello ORDER BY SequenceNumber FOR XML PATH('hello')
 GO
 
diff --git a/test/JDBC/expected/forxml-path-vu-verify.out b/test/JDBC/expected/forxml-path-vu-verify.out
@@ -123,3 +123,29 @@ ntext
  SELECT Product, UnitPrice, EffectiveDate FROM Products WHERE UnitPrice &gt; 100
 ~~END~~
 
+
+-- BABEL-5364
+-- Crash causing query
+SELECT col1 from for_xml_path_all_null FOR XML PATH('')
+GO
+~~START~~
+ntext
+~~END~~
+
+
+SELECT col1 from for_xml_path_all_null FOR XML PATH(''), ELEMENTS, TYPE
+GO
+~~START~~
+xml
+
+~~END~~
+
+
+SELECT Top 10 col1 from for_xml_path_all_null FOR XML PATH('element')
+GO
+~~START~~
+ntext
+<element/><element/><element/><element/><element/><element/><element/><element/><element/><element/>
+~~END~~
+
+
diff --git a/test/JDBC/input/forxml/forxml-path-vu-cleanup.sql b/test/JDBC/input/forxml/forxml-path-vu-cleanup.sql
@@ -10,5 +10,8 @@ DROP VIEW for_xml_path_v3
 DROP VIEW for_xml_path_v4
 GO
 
+DROP TABLE for_xml_path_all_null
+GO
+
 DROP TABLE for_xml_path
 GO
diff --git a/test/JDBC/input/forxml/forxml-path-vu-prepare.sql b/test/JDBC/input/forxml/forxml-path-vu-prepare.sql
@@ -4,6 +4,20 @@ GO
 INSERT INTO for_xml_path VALUES (1,'SELECT'),(2,'Product,'),(3,'UnitPrice,'),(4,'EffectiveDate'),(5,'FROM'), (6,'Products'),(7,'WHERE'),(8,'UnitPrice'),(9,'> 100');
 GO
 
+CREATE TABLE for_xml_path_all_null (col1 INT NULL);
+GO
+
+SET NOCOUNT ON
+GO
+
+DECLARE @i INT = 1; 
+WHILE @i <= 2048 
+BEGIN
+    INSERT INTO for_xml_path_all_null VALUES (NULL);
+    SET @i = @i + 1;
+END
+GO
+
 CREATE VIEW for_xml_path_v1 AS SELECT String as param1, hello.String as [@param2] FROM for_xml_path hello ORDER BY SequenceNumber FOR XML PATH('hello')
 GO
 
diff --git a/test/JDBC/input/forxml/forxml-path-vu-verify.sql b/test/JDBC/input/forxml/forxml-path-vu-verify.sql
@@ -47,3 +47,15 @@ GO
 
 EXEC for_xml_path_p4
 GO
+
+-- BABEL-5364
+-- Crash causing query
+SELECT col1 from for_xml_path_all_null FOR XML PATH('')
+GO
+
+SELECT col1 from for_xml_path_all_null FOR XML PATH(''), ELEMENTS, TYPE
+GO
+
+SELECT Top 10 col1 from for_xml_path_all_null FOR XML PATH('element')
+GO
+
