Silence Coverity complaint about possible null-pointer dereference.

If pg_init_privs were to contain a NULL ACL field, this code would
pass old_acl == NULL to merge_acl_with_grant, which would crash.
The case shouldn't happen, but it just takes a couple more lines
of code to guard against it, so do so.

Oversight in 534287403; no back-patch needed.

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index e6cc720579c5e3a15bafb0372aae3f6925abced6..143876b77ff8e0f5ea6302db1d358ed38e50c7bb 100644 (file)
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -4934,14 +4934,17 @@ RemoveRoleFromInitPriv(Oid roleid, Oid classid, Oid objid, int32 objsubid)
    /*
     * Generate new ACL.  Grantor of rights is always the same as the owner.
     */
-   new_acl = merge_acl_with_grant(old_acl,
-                                  false,   /* is_grant */
-                                  false,   /* grant_option */
-                                  DROP_RESTRICT,
-                                  list_make1_oid(roleid),
-                                  ACLITEM_ALL_PRIV_BITS,
-                                  ownerId,
-                                  ownerId);
+   if (old_acl != NULL)
+       new_acl = merge_acl_with_grant(old_acl,
+                                      false,   /* is_grant */
+                                      false,   /* grant_option */
+                                      DROP_RESTRICT,
+                                      list_make1_oid(roleid),
+                                      ACLITEM_ALL_PRIV_BITS,
+                                      ownerId,
+                                      ownerId);
+   else
+       new_acl = NULL;         /* this case shouldn't happen, probably */
 
    /* If we end with an empty ACL, delete the pg_init_privs entry. */
    if (new_acl == NULL || ACL_NUM(new_acl) == 0)