From 0924717e3f6f071f504056f3f0c6b92d868788ca Mon Sep 17 00:00:00 2001
From: zhoujiaqi <zhoujiaqi@hashdata.cn>
Date: Thu, 7 Dec 2023 17:20:09 +0800
Subject: [PATCH] Fix: may cause UAF problem in get_size_from_segDBs

In function `get_size_from_segDBs`, If the cdb result returned from
segment is not as expected. Then we will clear up the cdb call the
ereport. But in this cause the value in cdb result have been freed.
We should keep a cdb result before cleanup it.
---
 src/backend/utils/adt/dbsize.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/backend/utils/adt/dbsize.c b/src/backend/utils/adt/dbsize.c
index 5cf4cb4e891..cc3ad270d4f 100644
--- a/src/backend/utils/adt/dbsize.c
+++ b/src/backend/utils/adt/dbsize.c
@@ -89,21 +89,30 @@ get_size_from_segDBs(const char *cmd)
 	for (i = 0; i < cdb_pgresults.numResults; i++)
 	{
 		Datum		value;
+		ExecStatusType status;
+		int ntuples;
+		int nfields;
+
 		struct pg_result *pgresult = cdb_pgresults.pg_results[i];
 
-		if (PQresultStatus(pgresult) != PGRES_TUPLES_OK)
+		status = PQresultStatus(pgresult);
+		if (status != PGRES_TUPLES_OK)
 		{
 			cdbdisp_clearCdbPgResults(&cdb_pgresults);
 			ereport(ERROR,
 					(errmsg("unexpected result from segment: %d",
-							PQresultStatus(pgresult))));
+							status)));
 		}
-		if (PQntuples(pgresult) != 1 || PQnfields(pgresult) != 1)
+
+		ntuples = PQntuples(pgresult);
+		nfields = PQnfields(pgresult);
+
+		if (ntuples != 1 || nfields != 1)
 		{
 			cdbdisp_clearCdbPgResults(&cdb_pgresults);
 			ereport(ERROR,
 					(errmsg("unexpected shape of result from segment (%d rows, %d cols)",
-							PQntuples(pgresult), PQnfields(pgresult))));
+							ntuples, nfields)));
 		}
 		if (PQgetisnull(pgresult, 0, 0))
 			value = 0;