Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w8BiE-000I6P-39 for pgsql-hackers@arkaria.postgresql.org; Thu, 02 Apr 2026 06:39:31 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w8BiD-004DUR-2H for pgsql-hackers@arkaria.postgresql.org; Thu, 02 Apr 2026 06:39:30 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w8BiD-004DUJ-1J for pgsql-hackers@lists.postgresql.org; Thu, 02 Apr 2026 06:39:29 +0000 Received: from mail-pj1-x102f.google.com ([2607:f8b0:4864:20::102f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w8BiB-000000008hp-2NTJ for pgsql-hackers@lists.postgresql.org; Thu, 02 Apr 2026 06:39:28 +0000 Received: by mail-pj1-x102f.google.com with SMTP id 98e67ed59e1d1-35d9827661bso237312a91.3 for ; Wed, 01 Apr 2026 23:39:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775111967; x=1775716767; darn=lists.postgresql.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Pot3IcdtOQkmAHredJAw6XEPTM4TvCDiLN3rKmGCW6M=; b=DzoePLMxKy4p2jt4yiTRBaKkgNTrD3yyvh9P5W/sRg0vSNqttg+aZuCbTaaH6YqLIS Ek/zEwXBNn7F8z8IP917q4Z2nLmFq2d8lTxn5Efcx68qC5tPi5BCF5pQ88SSEi0kb2xv f8vSHwVbnhZfsKW3k68n7/SNRTCTJZ5XStCnHvHMwXLUoPIu+H/ouZBIlqDQGHb5a2J7 yznlKnaH/YbttW5/FuyiA2wW/6YZFwxIA9BplXvgRxXccwKzSfXeHlWIiMYICYK1DCYp 0HaPLMl0zuShgqt2EwHO691yol47PSWrIIRMQ5U+M+ySwNwCPuV5Z2LxpYp6Iu3QP3S8 rXjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775111967; x=1775716767; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Pot3IcdtOQkmAHredJAw6XEPTM4TvCDiLN3rKmGCW6M=; b=kPyHE0EP155X28hiMyjFDCqyB3edxeAv5yPHnD1KM4muCf3UYBEXPPTHwlOUTPXvwC KDflH5g+BNB+EBUWIOmxMIWYND4lld4c5p7AFRVZo3uHxyjeo89y6StPZ5CDDOU1m5Kt VIqnlRd1bikUcEbU1O3429ZojQqqufg4TJzzl0qwaT4yql7+WZplB5gvrcNFvBXbVGTa lqdsexbAE13NBzwaAEMv+CDb1u8vmYRHPkXYjD1I4MCavcGpPiyy34qIcF0+5+XE0OC1 IXANIXRKXF8T1LtWlchZdZTzxqPZ8yWHIRAfzpA27LZETXIPi3AHUJLW8aGAqBuP1+bS 5fYA== X-Gm-Message-State: AOJu0YwADYovob4MNr2B0vG+X/1runaX+0t0wVmHG2kgP2sFBbsXyhQz KiezETXzl/rmQK9pAHfVyB1dlRrobS2J5/Gd+pLnmfaRm9eWSZGY+fWavJYkvcf0dEo= X-Gm-Gg: AeBDies/ovK1U0qeg1n0ZJgNaGv+vAMVFp7UtHGV4o3K/LDJ8JaWEyPwxi0EiyMH7Qv VJbAG710IZCtgZ+Ytoorrw5b+FcaJ0YJjbch4oe0/02bypTWsTKy1fixAx8cHD4NquC7ajLbxh0 ubxFAhrevkrCcbSXH/LmEUsCBbYiC1z5D521cf54lhpLTFoQSNt/f5doUvOpgP7JbAw4PXBMOvF HAAzjBN2AQqyXD3vYzQyQIcAn36t/vXnmvlhMpBhZZ32h+wxr27ueW1tTM4v+DfiNb+0kiHr8QL Bqc0zeS7bqgqtnmnJz46EqkNxzJaKGE2bBs8lPNGLZaWXdYVZvIihXNXMsdVTX5QHW+qy80YkGF UwYqqIX6xL/aEFEfNX/L9oM8ux/56BgDwDpbSIrcILl9yAvpBlbNaYCuAK/ZJ6bHUcTSXs52eYl CaE0gC9ytYI/EjlXEwKgywg2fhpuyHcfsQruI5kXrtPQ== X-Received: by 2002:a17:90b:57c6:b0:35d:a542:2dcb with SMTP id 98e67ed59e1d1-35dc6fae2ecmr5875682a91.16.1775111966693; Wed, 01 Apr 2026 23:39:26 -0700 (PDT) Received: from smtpclient.apple ([45.32.121.103]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35dbb9aa63dsm2434380a91.10.2026.04.01.23.39.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Apr 2026 23:39:26 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.21\)) Subject: Re: Small and unlikely overflow hazard in bms_next_member() From: Chao Li In-Reply-To: Date: Thu, 2 Apr 2026 14:38:46 +0800 Cc: PostgreSQL Developers Content-Transfer-Encoding: quoted-printable Message-Id: <0BF8BC4F-ED7D-445F-8BB3-2336F1E17CB4@gmail.com> References: To: David Rowley X-Mailer: Apple Mail (2.3864.400.21) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On Apr 2, 2026, at 12:09, David Rowley wrote: >=20 > I've been working on bms_left_shift_members() to bitshift members > either left or right in order to tidy up some existing code and > improve a future Bitmapset use case I'm currently working on. >=20 > When testing some ERROR code I added to ensure we don't get an > excessively large left shift value and end up with members higher than > INT32_MAX, I discovered that bms_next_member() can't handle that > value, as "prevbit++" will wrap to INT32_MIN and then we'll try to > access a negative array index, i.e. seg fault. >=20 > I appreciate that such a large member is quite unlikely, but if this > isn't fixed then I need to code my error checking code to disallow > members >=3D INT32_MAX rather than > INT32_MAX. I did have a comment > explaining why I was doing that, but fixing the bug saves the weird > special case and the comment. >=20 > Patched attached. I was thinking it might not be worthy of > backpatching, but I'll entertain alternative views on that. >=20 > David > Both the return value of bms_next_member() and the parameter =E2=80=9Cprev= bit" are defined as int, which seems to imply that a bitmap can hold at = most INT32_MAX elements. So I wonder if a cleaner fix would be to just = add a range guard, like this: ``` diff --git a/src/backend/nodes/bitmapset.c = b/src/backend/nodes/bitmapset.c index 786f343b3c9..7f79f81f278 100644 --- a/src/backend/nodes/bitmapset.c +++ b/src/backend/nodes/bitmapset.c @@ -1294,7 +1294,7 @@ bms_next_member(const Bitmapset *a, int prevbit) Assert(bms_is_valid_set(a)); - if (a =3D=3D NULL) + if (a =3D=3D NULL || prevbit =3D=3D INT32_MAX) return -2; nwords =3D a->nwords; prevbit++; ``` Best regards, -- Chao Li (Evan) HighGo Software Co., Ltd. https://www.highgo.com/