Guard against null arguments in binary_upgrade_create_empty_extension().

The CHECK_IS_BINARY_UPGRADE macro is not sufficient security protection
if we're going to dereference pass-by-reference arguments before it.

But in any case we really need to explicitly check PG_ARGISNULL for all
the arguments of a non-strict function, not only the ones we expect null
values for.

Oversight in commits 30982be4e5019684e1772dd9170aaa53f5a8e894 and
f92fc4c95ddcc25978354a8248d3df22269201bc.  Found by Andreas Seltenreich.
(The other usages in pg_upgrade_support.c seem safe.)

1 files changed, 16 insertions, 4 deletions

diff --git a/src/backend/utils/adt/pg_upgrade_support.c b/src/backend/utils/adt/pg_upgrade_support.c
index b5c732bfca2..912eadaf369 100644
--- a/src/backend/utils/adt/pg_upgrade_support.c
+++ b/src/backend/utils/adt/pg_upgrade_support.c
@@ -129,16 +129,28 @@ binary_upgrade_set_next_pg_authid_oid(PG_FUNCTION_ARGS)
 Datum
 binary_upgrade_create_empty_extension(PG_FUNCTION_ARGS)
 {
-	text	   *extName = PG_GETARG_TEXT_PP(0);
-	text	   *schemaName = PG_GETARG_TEXT_PP(1);
-	bool		relocatable = PG_GETARG_BOOL(2);
-	text	   *extVersion = PG_GETARG_TEXT_PP(3);
+	text	   *extName;
+	text	   *schemaName;
+	bool		relocatable;
+	text	   *extVersion;
 	Datum		extConfig;
 	Datum		extCondition;
 	List	   *requiredExtensions;
 
 	CHECK_IS_BINARY_UPGRADE;
 
+	/* We must check these things before dereferencing the arguments */
+	if (PG_ARGISNULL(0) ||
+		PG_ARGISNULL(1) ||
+		PG_ARGISNULL(2) ||
+		PG_ARGISNULL(3))
+		elog(ERROR, "null argument to binary_upgrade_create_empty_extension is not allowed");
+
+	extName = PG_GETARG_TEXT_PP(0);
+	schemaName = PG_GETARG_TEXT_PP(1);
+	relocatable = PG_GETARG_BOOL(2);
+	extVersion = PG_GETARG_TEXT_PP(3);
+
 	if (PG_ARGISNULL(4))
 		extConfig = PointerGetDatum(NULL);
 	else