Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wV47y-001evK-2p for pgsql-bugs@arkaria.postgresql.org; Thu, 04 Jun 2026 09:12:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wV47x-005gBb-2F for pgsql-bugs@arkaria.postgresql.org; Thu, 04 Jun 2026 09:12:37 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wV47x-005gBP-1R for pgsql-bugs@lists.postgresql.org; Thu, 04 Jun 2026 09:12:37 +0000 Received: from mail-dl1-x1230.google.com ([2607:f8b0:4864:20::1230]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wV47v-00000001D5c-1qs5 for pgsql-bugs@postgresql.org; Thu, 04 Jun 2026 09:12:37 +0000 Received: by mail-dl1-x1230.google.com with SMTP id a92af1059eb24-137dd523634so706094c88.1 for ; Thu, 04 Jun 2026 02:12:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780564353; cv=none; d=google.com; s=arc-20240605; b=MMDsm/KZ6JAgcV9yMOAgfJTMefvF5e8QV0PCVPslT6+08EdY/Bp1y6o4dXSSbHcz5v DrYSExsTYy+P5TXuOl9uMmn7/50qdioGwY8Lkz+9Rx+KAgKTxni+nTxGdHHFar3UXzWL zvLexF2TIfmbr3YvZgDzXuLvMRb2pdjcmB/VKLOQdgKwbq+T2UNsQ8DYqWUjM9Lsi+mq ZoKK1Ym6cVz66XtQKYGYVSPJ0iv8tLiEwNF9UDSlDVGbsIZ2mRS1v3ypJVp887JH0EBH nIYLJ+qTlJDJIBaG+1hDkCa/x67WGoj0OsyPl0Qzgjmx6b3mqBqARcFmlZDtUcBSdsT+ Wv5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=cTziatp+22D73C2CwkHHJyl7jxw35gkDrkKsraA2kc4=; fh=AmdNUCkl2din2wszlVpQZofpMpRyIIF+zPOAEnj7L6U=; b=T6FdUsPul46QeCBuccdVBAzAe3GCv8qcqZ8he2EOALYeotfJPFls3fReV34skizR7S G5Jl1earmsFJ2gI16fFM/GCEpUaC0bzUlYyKI0hYs/k1pH4fK93ONILXcIBSx/pV/btS fvhDzYAoNYyDkBr5qTg1JzrBnf+lZfMQc8fAKdmyWNUlEl8Bm3fwf3DaSxBEA4+cw+SB /UsvkwxBUc6lOFTxUZW9EHUr2aFIOE/oVa09DW3LWWsKzYlP9v/Pdcv3nIEDIZt/PJ4N yDATARbYSmPvrgQ2ATmL/NYgJLfA5LEVolfmXSUjHVDRUKKU3zQEC4AyZqSImrduzlYL PMEw==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780564353; x=1781169153; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=cTziatp+22D73C2CwkHHJyl7jxw35gkDrkKsraA2kc4=; b=cQ9U2hAV2QL6/c5AtNcU5GEg6KvHoiOTFkUmeLI4rHLjwUjO5p9uQ1nrvsNhaA3EhY 6TyaG39YVyxPKC89JcNi+poLBbldplZlDjUvx6ECPOp2uMsBvxdIGGXSYDheOL8851ih zv8c4c56wIaJ++5CDPSVkJMRZVJSyiAadApsXQf1c5XiXp3o7SpnluASiR7+rsrxGwyc QMDmcjh3Tg3UuXeb7mVUNu+V+qkxBlanigB/VVV4fj7C/9JxOiuT2L9Ld3RIsEY2kF0p 9R9FhbePcrNg7Fy0wTil8cF09qvl/KaKXeDviR4Gy/0kA+RKxUnsbWfx483iCPoeYpvQ lhLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780564353; x=1781169153; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=cTziatp+22D73C2CwkHHJyl7jxw35gkDrkKsraA2kc4=; b=iZSvuWP0lgJGjYAIuDDC3wIPeABIMcO+odwyro7NDrRDbpS3ZTi2U4lvUP4f5jxFM9 7vq9W0V88KI8HObQpEsqbgzFDBbVw5rPDcuz9r7FKZD/iBDrBflBg5JS66XVVyK61xcm 0QdnLDqvYGb6nhpA7QkIzL1tpoqMBt9jC3kEiJWmEu7wtXAA10eY9do7EG5J2Nn75Wtj z3CMJ8YGbQNTTdpnkOI2p/OzUUkiqFiLE6bHDdl28/bW4vOId79B7YNfTYVrdpvE71my 8Sju1+6w3G/5peZjsNnF9m0yIIjzbXemBCew0B8e4JlzlE8e6OIZr7E3y/R69OBq1bth 7KFA== X-Forwarded-Encrypted: i=1; AFNElJ9wKaL3p/TDAIsIO43ttIFCufsgJP7b7JBLyCs8O94E05+coUKwzAJ99VdLaNPspC8vAaIyFFqbKhTs@postgresql.org X-Gm-Message-State: AOJu0YwWKWHf7B7VkPDi772kxm/K2mjJYVEp8r9ldaOwjXtymL7fjMyN SXtqPpwWI+AhLbAbxiBtt2qNguiY8aneod8Bbser1aNGI1n0XhAyHbDYi0l5WduWctrst/AknWD +EQDgZ0pYi62mY21Am+ASd9nZ03gEPXU= X-Gm-Gg: Acq92OGWgU0VYea8se+2b9lgWG6H36cn4kIfAFw82DCI98rKKoAFHLHzT5uDeY397m0 5qGw6rSD4VWDW06zgHAn78NPI2BD3uTjVYkOtOcMjbBsK655c9IMlNZh6SO5LnGCO+OrxNlI7eQ OZYMaQY+fSf67mi4ScJPwCj1cQP+2WfzpTAGB7VDU6RjpKY2aHO2detxWLnloIrLmlde9qSyy10 Yu08ApNDlgVv88tJ8+SGVNE6jaryWOAKjHNKoGLmq/ft96sWj77N2iNyw1omKq4r4AxDZFN4bfW poRpQMrx4CJRSNbvlI2cznRj0rpA5a4P67ht48zxnIEhJX/P X-Received: by 2002:a05:7022:6291:b0:137:546:9e9d with SMTP id a92af1059eb24-137f6bb262fmr2864945c88.23.1780564353321; Thu, 04 Jun 2026 02:12:33 -0700 (PDT) MIME-Version: 1.0 References: <20260604002256.40f1fd544@smtp.qiye.163.com> In-Reply-To: From: Ashutosh Sharma Date: Thu, 4 Jun 2026 14:42:23 +0530 X-Gm-Features: AVHnY4IJcMXNB8WkoKl_pFVDkQQ3FWI_x3j44v4WqfYwnVhjtNNozXKcLSUvCaQ Message-ID: Subject: Re: Fw: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow To: Michael Paquier Cc: surya poondla , "violin0613@tju.edu.cn" , pgsql-bugs@postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi Michael, On Thu, Jun 4, 2026 at 1:01=E2=80=AFPM Michael Paquier wrote: > > On Wed, Jun 03, 2026 at 03:31:27PM -0700, surya poondla wrote: > > Thank you for reporting the issue, I am able to reproduce it on master. > > The include_this_tid[] array is sized MaxHeapTuplesPerPage but indexed > > using 1-based OffsetNumber, > > so the largest legal offset (MaxHeapTuplesPerPage itself) lands one slo= t > > past the end. > > - bool include_this_tid[MaxHeapTuplesPerPage]; > + /* Sized +1 because OffsetNumbers are 1-based and can reach MaxHeapT= uplesPerPage. */ > + bool include_this_tid[MaxHeapTuplesPerPage + 1]; > > The offset number begins at 1. Hence, instead of making this array > larger by one, you could keep it at the same size and adjust the array > index to use (offno - 1) instead. I think Surya's approach is worth considering here. Making the helper array 1-based aligns it naturally with PostgreSQL's convention, where page offsets are 1-based, and that consistency has real readability benefits. With a 1-based helper array: bool include_this_tid[MaxHeapTuplesPerPage + 1]; we can write: include_this_tid[offno] =3D true; if (!include_this_tid[curoff]) continue; i.e. we can simply "mark this offset number" and "check whether this offset number is included" - no mental translation required. With a zero-based helper array: bool include_this_tid[MaxHeapTuplesPerPage]; every access has to do a conversion: include_this_tid[offno - 1] =3D true; if (!include_this_tid[curoff - 1]) continue; This works correctly, but it places an ongoing burden on anyone reading or modifying the code - they need to keep in mind that page offsets are 1-based, that this particular array is 0-based, that the subtraction must be applied consistently, that it should be skipped for InvalidOffsetNumber, and that the two index spaces should not be inadvertently mixed in future edits. These are admittedly small risks, but they are real ones. Keeping the array 1-based eliminates that entire class of potential confusion and makes the code easier to maintain going forward. I'd lean toward Surya's approach for that reason. -- With Regards, Ashutosh Sharma.