public inbox for [email protected]help / color / mirror / Atom feed
pgsql: pg_surgery: Fix off-by-one bug with heap offset 6+ messages / 1 participants [nested] [flat]
* pgsql: pg_surgery: Fix off-by-one bug with heap offset @ 2026-06-05 23:17 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-06-05 23:17 UTC (permalink / raw) To: [email protected] pg_surgery: Fix off-by-one bug with heap offset heap_force_common() declared a boolean array indexed with an OffsetNumber for a size of MaxHeapTuplesPerPage. OffsetNumbers are 1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage wrote one byte past the end of the stack array, crashing the server. Like heapam_handler.c, this commit changes the array so as it uses a 0-based index, substracting one from the OffsetNumbers. Reported-by: Wang Yuelin <[email protected]> Reviewed-by: Ashutosh Sharma <[email protected]> Discussion: https://postgr.es/m/[email protected] Backpatch-through: 14 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/193a4ded94741ba9c24509540a5d586c11761e37 Modified Files -------------- contrib/pg_surgery/heap_surgery.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pg_surgery: Fix off-by-one bug with heap offset @ 2026-06-05 23:17 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-06-05 23:17 UTC (permalink / raw) To: [email protected] pg_surgery: Fix off-by-one bug with heap offset heap_force_common() declared a boolean array indexed with an OffsetNumber for a size of MaxHeapTuplesPerPage. OffsetNumbers are 1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage wrote one byte past the end of the stack array, crashing the server. Like heapam_handler.c, this commit changes the array so as it uses a 0-based index, substracting one from the OffsetNumbers. Reported-by: Wang Yuelin <[email protected]> Reviewed-by: Ashutosh Sharma <[email protected]> Discussion: https://postgr.es/m/[email protected] Backpatch-through: 14 Branch ------ REL_18_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/2b09f8a9110a5de217fa59dfb3215686def7dc36 Modified Files -------------- contrib/pg_surgery/heap_surgery.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pg_surgery: Fix off-by-one bug with heap offset @ 2026-06-05 23:17 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-06-05 23:17 UTC (permalink / raw) To: [email protected] pg_surgery: Fix off-by-one bug with heap offset heap_force_common() declared a boolean array indexed with an OffsetNumber for a size of MaxHeapTuplesPerPage. OffsetNumbers are 1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage wrote one byte past the end of the stack array, crashing the server. Like heapam_handler.c, this commit changes the array so as it uses a 0-based index, substracting one from the OffsetNumbers. Reported-by: Wang Yuelin <[email protected]> Reviewed-by: Ashutosh Sharma <[email protected]> Discussion: https://postgr.es/m/[email protected] Backpatch-through: 14 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/0bcf19c9e8fc553b2a9bd731d90020fe22def18f Modified Files -------------- contrib/pg_surgery/heap_surgery.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pg_surgery: Fix off-by-one bug with heap offset @ 2026-06-05 23:17 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-06-05 23:17 UTC (permalink / raw) To: [email protected] pg_surgery: Fix off-by-one bug with heap offset heap_force_common() declared a boolean array indexed with an OffsetNumber for a size of MaxHeapTuplesPerPage. OffsetNumbers are 1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage wrote one byte past the end of the stack array, crashing the server. Like heapam_handler.c, this commit changes the array so as it uses a 0-based index, substracting one from the OffsetNumbers. Reported-by: Wang Yuelin <[email protected]> Reviewed-by: Ashutosh Sharma <[email protected]> Discussion: https://postgr.es/m/[email protected] Backpatch-through: 14 Branch ------ REL_16_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/daf8bc7d41acf0e4439ee137a6e9ae064a05de79 Modified Files -------------- contrib/pg_surgery/heap_surgery.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pg_surgery: Fix off-by-one bug with heap offset @ 2026-06-05 23:17 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-06-05 23:17 UTC (permalink / raw) To: [email protected] pg_surgery: Fix off-by-one bug with heap offset heap_force_common() declared a boolean array indexed with an OffsetNumber for a size of MaxHeapTuplesPerPage. OffsetNumbers are 1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage wrote one byte past the end of the stack array, crashing the server. Like heapam_handler.c, this commit changes the array so as it uses a 0-based index, substracting one from the OffsetNumbers. Reported-by: Wang Yuelin <[email protected]> Reviewed-by: Ashutosh Sharma <[email protected]> Discussion: https://postgr.es/m/[email protected] Backpatch-through: 14 Branch ------ REL_15_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/51f63ba2bf7f4a619f9e4251450ee462ba8505dc Modified Files -------------- contrib/pg_surgery/heap_surgery.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pg_surgery: Fix off-by-one bug with heap offset @ 2026-06-05 23:17 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-06-05 23:17 UTC (permalink / raw) To: [email protected] pg_surgery: Fix off-by-one bug with heap offset heap_force_common() declared a boolean array indexed with an OffsetNumber for a size of MaxHeapTuplesPerPage. OffsetNumbers are 1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage wrote one byte past the end of the stack array, crashing the server. Like heapam_handler.c, this commit changes the array so as it uses a 0-based index, substracting one from the OffsetNumbers. Reported-by: Wang Yuelin <[email protected]> Reviewed-by: Ashutosh Sharma <[email protected]> Discussion: https://postgr.es/m/[email protected] Backpatch-through: 14 Branch ------ REL_14_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/1eda3eb0753ac6c788c11830e9abc0821f7afd48 Modified Files -------------- contrib/pg_surgery/heap_surgery.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
end of thread, other threads:[~2026-06-05 23:17 UTC | newest] Thread overview: 6+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-06-05 23:17 pgsql: pg_surgery: Fix off-by-one bug with heap offset Michael Paquier <[email protected]> 2026-06-05 23:17 pgsql: pg_surgery: Fix off-by-one bug with heap offset Michael Paquier <[email protected]> 2026-06-05 23:17 pgsql: pg_surgery: Fix off-by-one bug with heap offset Michael Paquier <[email protected]> 2026-06-05 23:17 pgsql: pg_surgery: Fix off-by-one bug with heap offset Michael Paquier <[email protected]> 2026-06-05 23:17 pgsql: pg_surgery: Fix off-by-one bug with heap offset Michael Paquier <[email protected]> 2026-06-05 23:17 pgsql: pg_surgery: Fix off-by-one bug with heap offset Michael Paquier <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox