Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVOUb-001vgn-3D for pgsql-bugs@arkaria.postgresql.org; Fri, 05 Jun 2026 06:57:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wVOUY-00AUmz-29 for pgsql-bugs@arkaria.postgresql.org; Fri, 05 Jun 2026 06:57:18 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVOUW-00AUmq-1G for pgsql-bugs@lists.postgresql.org; Fri, 05 Jun 2026 06:57:18 +0000 Received: from fhigh-b5-smtp.messagingengine.com ([202.12.124.156]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wVOUU-00000001C9Y-0liH for pgsql-bugs@postgresql.org; Fri, 05 Jun 2026 06:57:15 +0000 Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42]) by mailfhigh.stl.internal (Postfix) with ESMTP id A99437A017D; Fri, 5 Jun 2026 02:57:12 -0400 (EDT) Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-02.internal (MEProxy); Fri, 05 Jun 2026 02:57:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1780642632; x=1780729032; bh=Ue1M8V0HA3 tg4xtTFCsdvJDqg4nhuCgZQolFa77jhyA=; b=JkzW1GFRLMKtzdOAGQDHvDCFFl cRa5vg/YAO9lHpHbNLBqy7/Yc3leSmHlxt10W7U3gO3nS4HZBddUBTy5vdEpKZxZ sVAZJ9dB+4YVKRusby1xnvPTf7TvtnOvAthLe6hUo+xlfSIVePfH6OWingraRu0G YonKdbfvnKH7wLOG4eUr4yB+yoiikvXp2FMmIsbogh/UleJbmTXcZ/wGYmdbJUB8 egQJivQXuEoEFMQ8I7/p9+T+xhu7wjMIkEOonPWZlrklc2QA7a6p9HlZMxvMtgK3 Q8ngfq6Xc/eI/m0EnjWXlOk3oOTwj59hEbJUPN4HrXMwCUUNZyZXlUzu6EzA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1780642632; x=1780729032; bh=Ue1M8V0HA3tg4xtTFCsdvJDqg4nhuCgZQol Fa77jhyA=; b=efd6PmEigLbg11oSBem4OvijVc2X9kBNqESJACu6SQIY9PY3800 0zsYWOkfi4Z0y0u+eQBmIvc6FL4dMeJQCrTH25mHE6Sb7cHioFaco82T5Xps9fQC t29YnvLggjtwvNrCIgKd9DONfwlcYo/kbTJdZsnJEcYsnYBSzGT5+lBpgjD5GYq3 ACg+lT9Ubhw67lXJQH1qs+ChAIF5mArHELSjwOz9jQKwdMkYz9EUomwtD6tir1JU aJw2GKNP9OfWwaz+gVbPwMnBy8TDaTKr98hX+xslQKR9vZ01yxupYf6+jsfgEAZv Nxn6h/JFFy0zkbYvyP0HmPQ6PQL4IHxzSWg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: dmFkZTGpGSWWqBLuBDknGslGGfP8e/CR1epS8AgEan0PCea1ZAc9LeD95LhH4cW2LfeA8k 8NO2GL96l6JTm9OkCjb9I5sv99YYFcpmpdAe4ATJYZobxDwaEzANbQyeA9ZHAP5jxu7Zyi pfVoHUGMk4TspRTdTfR/QIc+47GVtsbSQ1VYsh1zt5yCGif3rFRqhfJCDHH8MiLd+gRWZ9 D//cMvW8URdzuvdSa1KC+OQCFDOrUnpc/Dbr79x4sufssP42UoSE2Jsl/fk0g4hYlg+X4m w8RZdMZnA7NLzwYiAF0llOMAEBXWfoOBaFrBEHIYkLNngVGbvBSzbhEHLsNVTwHbSMU8ks 8GRZ2G598dZbAuZWai8GZmjSEqBgaseRyLuNRlnGo2uxe0uc5v+u1MHjKVcJoGPGB/G+IQ gJ3TSvIrFtjncrdBdB3THM0Rkmkyu2RmHi9CWqmm3d4+9tqjL16IYkQvCBQno9Cvh6IU1Z 6RcjiuJrBk0u97ImRMeay36tf0ax6Yrn84MwKQ54Kj6yOF5tA5dWt5vVLVK8HRZwNMZrx6 O7aNeCy6tk2FM+nATic4xTTTq1K2cyVjvitX3mw+dk7dLRhKIA4FY6HW8wx7mYWEq18SVM y5gOZMpQcY6N+xE1U6URChTzuz0H+qEbAV7diexZR5urjMzQAdNmNitv3fTQ X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 5 Jun 2026 02:57:10 -0400 (EDT) Date: Fri, 5 Jun 2026 15:57:06 +0900 From: Michael Paquier To: Ashutosh Sharma Cc: surya poondla , "violin0613@tju.edu.cn" , pgsql-bugs@postgresql.org Subject: Re: Fw: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow Message-ID: References: <20260604002256.40f1fd544@smtp.qiye.163.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="CYrCQLubYtid4IRR" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --CYrCQLubYtid4IRR Content-Type: multipart/mixed; boundary="hKqD4QVMmlm3nny4" Content-Disposition: inline --hKqD4QVMmlm3nny4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jun 05, 2026 at 08:17:15AM +0900, Michael Paquier wrote: > At the end, the first pattern is an outlier, we don't need to worry > about performance in pg_surgery, and we're talking about three lines > of code in pg_surgery to change (two for include_this_tid, one for the > assertion). With all that in mind, I'd just do a -1 conversion and > call it a day. :) Which implies something like the simpler patch attached. -- Michael --hKqD4QVMmlm3nny4 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=surgery-oneoff.patch Content-Transfer-Encoding: quoted-printable diff --git a/contrib/pg_surgery/heap_surgery.c b/contrib/pg_surgery/heap_su= rgery.c index ae4e7c0136cc..6a92d2bd5fec 100644 --- a/contrib/pg_surgery/heap_surgery.c +++ b/contrib/pg_surgery/heap_surgery.c @@ -228,8 +228,8 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleFor= ceOption heap_force_opt) } =20 /* Mark it for processing. */ - Assert(offno < MaxHeapTuplesPerPage); - include_this_tid[offno] =3D true; + Assert((offno - 1) < MaxHeapTuplesPerPage); + include_this_tid[offno - 1] =3D true; } =20 /* @@ -247,7 +247,7 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleFor= ceOption heap_force_opt) { ItemId itemid; =20 - if (!include_this_tid[curoff]) + if (!include_this_tid[curoff - 1]) continue; =20 itemid =3D PageGetItemId(page, curoff); --hKqD4QVMmlm3nny4-- --CYrCQLubYtid4IRR Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmoic0IACgkQnvQgOdby QH2IPw//RgTxTdEGH8g7bNbmyutRfiGDu6aYTLCSUoWUhtnRTxxYjej1WiCNvHFL rAve94mlQxBkYrK41bJa4t+nruh/IylEwvAwh8GZI5t7qI31vWcqJVxJjpZSofh9 UxHbuvMOlPzRuWKrINEYLHeB5Wcw6zgrcpNDyiDU1Mmri4kLZ8k8cs/W2d3I/3gp /dMZE/U4Q/onygL3XUkenqPQOuvXs5bo7JAx/lyS7gFOo4DHehQFsDwaaWg8RKaC 7/qFTbd/cY5nOkvTTwaIX1zRbrr/e3VYRbd+/WAyXXDklOKN4JB18cvFCyIfGHv1 8iG/j3FJdSK0Oglx2/c2OaS3bVmSbLqsso5YBqLe+LKH1BcTJF4MYrKLqDbXo9DD ZFbJWZHY0yI9XUs5XyPmZbrb/0jVoLgNZRKl0xeNawd6etcNV8ky2Qla3maB88kz Kewf28mJQUOeBmmBp7hgKfXQuPs19djXKH5nmsZXS5yR6V3867j+j28HF2/T1ghD QqLNAedH4Z9PoiokyW2XxyxcMSThGZ0HN/B3QF+vjtPnx42EJcFKC0b2FRmAgzcy iqk4WP/cDnyoBLenggLeyTtnxCcc1lU5+4qTxHSW5zHeKhXVU3HI3oIF3uPHZcdH QZQoflWGhiLbUReSB8d8kQ6vhNnlzuSmvFHUFs/7AeUen8QJgUg= =ViaZ -----END PGP SIGNATURE----- --CYrCQLubYtid4IRR--