Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wV2YH-001dbO-2v for pgsql-bugs@arkaria.postgresql.org; Thu, 04 Jun 2026 07:31:42 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wV2YG-005ORd-0R for pgsql-bugs@arkaria.postgresql.org; Thu, 04 Jun 2026 07:31:40 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wV2YA-005ORT-23 for pgsql-bugs@lists.postgresql.org; Thu, 04 Jun 2026 07:31:39 +0000 Received: from fhigh-a2-smtp.messagingengine.com ([103.168.172.153]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wV2Y5-00000001CMN-3Wty for pgsql-bugs@postgresql.org; Thu, 04 Jun 2026 07:31:34 +0000 Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfhigh.phl.internal (Postfix) with ESMTP id 315ED1400036; Thu, 4 Jun 2026 03:31:27 -0400 (EDT) Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-04.internal (MEProxy); Thu, 04 Jun 2026 03:31:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1780558287; x=1780644687; bh=rhfWWsGHVq L62eqBhWKlXc6gBEY/q5lmkvPReb+pDMg=; b=qyRQbnKHCxd9uFfYFJmV2eCMyD jyWRjaC0D6Y5rdo+KF2Pdxo/+bl36R0PibMnFMc0JcizdFODC1HwtfLxQDES8eHf 13SVFWY9HYGv64HSHhAAC+D0CEFB36c5dezd33AB9yTZ3DWKyBjpCEMDzSCB/yPJ Yfv/vn1Cu8L8ikX4GM9xFSNfljt7ZwggXBgbGZHaMNwfsQuC113fNBReIyfVip7d zNJhPrXGf9EoYs8jj+6Z5GBDzSkJ0qZ4FBvn1+2qAFkJUq4Z//M7BRDKtOfE3TK8 h6hze2H+UsyeorER/ZwWxIMSTpl7IAfNM/rwHle7yE2Yt8EZaFOjviA3Eh6A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1780558287; x=1780644687; bh=rhfWWsGHVqL62eqBhWKlXc6gBEY/q5lmkvP Reb+pDMg=; b=iCCjVPPwDX8FR8z6Xz5ZzHikPfAV41cxogCBz7poxDammph8rDu Xx34UthvKMfAqyfLHRisoCcCRkMVQB2BhGxdDy9zjSniEQ21hBPj/jPey+pnV5GT VRlGrW0P2XT5sIOQqIvXab3KgnVTaaLXAf1ROge+Ll2IjQZP/qyLHaXBejCY1Z1X 1wucqxF3UXniyIsNxWmbuXFZ9rOHkBk3vk8gAtG2mujAQ62cavtHA5VpGxydxknU k08I7SVSuGJ5vRwTRExpxKaiS5fgP0U+0XOxcP0BFg0zmzUPsOH7fFz/8qNRSnnG vw359K07MN0OGnutuwUh4CtMjittUuZU1Ug== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: dmFkZTGN8xwm1kt3grlUPOS3kGWaMFOniMtuX3oZzH3MtL/ikbts4aRUHUe3KSDSy66aJF oH+2LoDArasVcZX37YwKUG/ezlp6witg1FWprtGIRUR6i5DgXvk6uYMb+geWOO8iIP1A4c 6EVoD2gpvb9u0MGSIv9X1WBkSFe1J7fng3M6nrUmb/1HBRbEZuP66GdlL90qNZRkxtH/Z/ GjpKQ7/1CvuktNWNtIofDKZMsYoBlaun3AWSWMHGLMS7tuIhpB8OFL7nXsPzeXwIjBYMiB LjToIhK8MbnxbrU0OC4SNpUABa4ABSMwp9Ww3//eq4keQFLGQjib1vQB+3jct7b1Hfxckm lfOrN3ZewJWkDKHeYHouJx8Q+6dUjwyBlZIVzNaydnbmaK/XBjQi8jYJNcdS/0exwUoex9 9S1KuKob0dznqF/J1H7d3n7b9RngbGXxI5l4PEgbTQVnhN//sctXTRV0xuPc9H8N4ka/Un ec/Sc1sHJg4JcUJnN/H2EahjJNhIh85ZQBDqIaNJMVz7yPISrNeuFPyr9xre6DjWQ2FnAM SQB+RaTSvA/cTI15DPVGZgNppLw/pRwzEaO78iRoqEZPKXU+8UvbP1n2/PZrseipreZOEI 50PenNTm0w76esz28D0McCS4+uM+e529lsN90upioCMDWVnnGg0IjtrGXA7g X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 4 Jun 2026 03:31:24 -0400 (EDT) Date: Thu, 4 Jun 2026 16:31:20 +0900 From: Michael Paquier To: surya poondla Cc: "violin0613@tju.edu.cn" , pgsql-bugs@postgresql.org Subject: Re: Fw: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow Message-ID: References: <20260604002256.40f1fd544@smtp.qiye.163.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="n7UFrlZz0LbqoKfr" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --n7UFrlZz0LbqoKfr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jun 03, 2026 at 03:31:27PM -0700, surya poondla wrote: > Thank you for reporting the issue, I am able to reproduce it on master. > The include_this_tid[] array is sized MaxHeapTuplesPerPage but indexed > using 1-based OffsetNumber, > so the largest legal offset (MaxHeapTuplesPerPage itself) lands one slot > past the end. - bool include_this_tid[MaxHeapTuplesPerPage]; + /* Sized +1 because OffsetNumbers are 1-based and can reach MaxHeapTuplesPerPage. */ + bool include_this_tid[MaxHeapTuplesPerPage + 1]; The offset number begins at 1. Hence, instead of making this array larger by one, you could keep it at the same size and adjust the array index to use (offno - 1) instead. -- Michael --n7UFrlZz0LbqoKfr Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmohKcgACgkQnvQgOdby QH1+gQ//cIom383UaM28dAx4G/unq+MUJZZwHw1c66DY44tgkKA9LgHEbPpDv/Kq T/c80gkkoQqIGHs08pwukJVOnrK3OunhSX5LGP1QqLMR5LLr4CGnEF2YV1oTlO9h KygM+mKSUCu10G6ElrkCCAUjHMsorOAqoeD+tQHlwTnvb0LBhoXxsZ1VpLHMTOUU cOflryG63BBbNXn/poJ/Fl7TUFLY3GKcceDwLsqLJkLUpj/NI7HGb5lHUDx8mNdb rx/u0Ld1FVBITWbCkjXvwU7DNXXeHtbFjoDt5WW2y4BtgIB7ghr3vzty1NnMeskp wqqwTaoF1hE7WDZxt5ycIPjCA9d/IO5m1H8NMWyx8gxVTNZbOBZFLYgTdsgqVfo5 wFUr1WgFXfgraYTgiaP0YMaGpbpc8nbU+AC1MqOsRGd+xHhKY7sOC6wGS4IV/0Ns Vc9iKQUkRIH514Fj7eZwubq1UmbMBTv1bcRSqK4cqXaUGwgpdBI/I0ANIsp16kuI c7WsQp5qlRQyVsl06hS3KcRhczVgS+Lu1qolQZnx+4uY3me5/IQkxmfuSZVhTMPG 4FTwx6PLDHjIRex8pOEj6KffPKLQEKpqjcAOJ/Hw6Fk6Hwt3iVLYhxtBg9W7gUv0 mSYchjN7OuNiVvIczQt+BrSwzRZZR18nMIx2B70j0ymzn4QhY00= =OyEg -----END PGP SIGNATURE----- --n7UFrlZz0LbqoKfr--