Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w89Mt-000Fws-29 for pgsql-hackers@arkaria.postgresql.org; Thu, 02 Apr 2026 04:09:20 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w89Mr-003led-2i for pgsql-hackers@arkaria.postgresql.org; Thu, 02 Apr 2026 04:09:18 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w89Mr-003leV-1n for pgsql-hackers@lists.postgresql.org; Thu, 02 Apr 2026 04:09:17 +0000 Received: from mail-wr1-x42a.google.com ([2a00:1450:4864:20::42a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w89Mp-000000007fQ-3dPc for pgsql-hackers@lists.postgresql.org; Thu, 02 Apr 2026 04:09:16 +0000 Received: by mail-wr1-x42a.google.com with SMTP id ffacd0b85a97d-43cf5d14d6eso342445f8f.0 for ; Wed, 01 Apr 2026 21:09:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775102953; cv=none; d=google.com; s=arc-20240605; b=bir1I3whJySMurlJJ0A3sH35UtfyjgQwg9J5wJbx0orKbx9+ny9bPhFYGI6ChgYRKV AW3egIpuZcOOgffw85q5sWKAVT4HAuGLBeqQAFGRCB2uCJNewoQT9o3u5a4X5K3BARcK VSfHlm29k29Eztn2oEweUGC2FcDv5HkWcfKdcIxQyXRWyUpNJQfLaWvuTKE+rr5gakgY +jveSL5xs91wMDI374b8IH3kyglHvFdowN0Evhmx3ijNIqXt2hxGYw1cs1Ih2g36qhB8 TLw9plFZZUH5FVIfZ6bcvbZ6Al5IhRTe4L1ytBEsHOv907mf/caJoylzwLP3bwkz0ihr 3QeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=Im/1pr8lwIVFOmN9qtQxL06CtW4jCWr51cW+XZDOW6Y=; fh=eL7DjuqwxWiuYdO11QNufGyZy4K2CU6M+Z7o6g5j7lc=; b=Pq3h3u46vUNfArKBWBeVYJu4wRAQLDL5F6kgkIcctMN/jPLXrMQDy+QLh86hvlAJFw 5aY/ZO0J6ENuldMpPp9JNcJ6CpnnWYGGQ80/UHHB0SoG7Jhv03YF8PPJEM6mEvDL2lCo wzGhC/zj+cdVlIL2ourKWJ8vSKfXWXxCVdQ/c32bbaiI6TvBNB663DMASBA86+NTHcEX e6j9I2smQQZgOqcaAucyxMg7cmVcSeHUDy16zic7P+OijSOuahZJdBEZtJkaTDopL+sf g23Cua5aMlrQwlBADGbHnAFh2/yxgMB4OyfGYfq/Zjne57IvnjNHNRZwWGO0Yl0y9rLC JVUw==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775102953; x=1775707753; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Im/1pr8lwIVFOmN9qtQxL06CtW4jCWr51cW+XZDOW6Y=; b=Q/0mJ3xGgFX7CAnlAPRZwtdB8QrPfDbXEeCwlGaGtyIu6OCM5CbEWOVwU6q0O0PH7A TqHerElL5zS8MJO/h+FekrVo/VVMC979vVYaJ3nWwz9KzQVmTuinP1hjMUFdJjfr/F1j tLPinnOfI+QLfFUtGfvrzH2BTOSw5075N0Q6bvvC+/j/1vemE5yO5ZRTINaZ9NdvjIz2 RpC4UK8kO9zFbWHni3unVvPek6mC+txrx/0lrGIRNVAXd6PlzEqkjmCKtLNqlBUoaLOE fApNDUw9mZn2aHaLP9hesCP2Q7+g68e3f0ciSOkqjfFdW1Z8wIDMHpUZlAdIYiCgVugB Er7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775102953; x=1775707753; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Im/1pr8lwIVFOmN9qtQxL06CtW4jCWr51cW+XZDOW6Y=; b=VEdEkvWgQ4GIBos3aYjCAoiONMlTjNmpQUGbPLAbzsZMrwjzHuhyL4D6Z5DvB3udLI LFuDEjHE1942rzygGE/yCaQoqPbJ0ElgJS5bimXB9LEDfU1yaveHIUTlo56fZIZmCXPu kiyqzilxzefTX/NWld66OMtH0Epq9qFq4tHxxWkJpbSuUlK9j7UznBtZa86YwtIV5juY E31OYieyexUITaZAPIHuymHtnLm6iYHLF74hXfvH1PFOaUTGQ9nKZ0dv4/pZNl/wGveM KpKXJOIOsTEGy2UlKxYdKGxyhpNZpk3xqJ8BDpmj6642NJUHEFXPJfy45YyGoDIQFEtA mvfA== X-Gm-Message-State: AOJu0YzJzXRaRTKWZX1wQ5yxq7Qo8mu7iIazFNCdkoybT+EiWwqduKPF LJaPfhKHwNBZPrYPDuTweotAan5zbggpHuMGcdcBwh5101lIGz6q551Qd65d2sU1EawCdId6dvR tsLOpzlQqHUshwPpxL1Pq0qhND52s12zyQGfb X-Gm-Gg: ATEYQzwvyL/FkkZDbCfAVLdTrQwztu6Z7aJqyHAXDxTIgailJaRTdgx+ZxjbVk3zPEv xHZhm3Icd1Ifplnb+Pydy4rhKnUNSfIiZH+nijzjSzC8jFyDxh0+NX15vP13fy+Ox294u1+GyGG +mnjXCcQxVWn5RoKBm10+62xTzPl6kTFf8gwsEGFPF9FN2YJY1ayfOWv9O50CbJIq0xQlNhM5Pj 4WARD4KrJawOOujdH+ioaA0DtTpbvfWM5U5F+Ia7RVtIq3W8HIG0WoBxO2inlDQ/baggxupEuXQ PrM5KBF33jkfGKOImresoOZHE19m2slW5UZqBgOx/eQRlHwfB3p6s2bcqH78yzbYUSWdR+sBzxu HqVWqjmxJ X-Received: by 2002:a05:6000:4313:b0:43c:fb4b:d4a4 with SMTP id ffacd0b85a97d-43d150edfb3mr11224856f8f.50.1775102952702; Wed, 01 Apr 2026 21:09:12 -0700 (PDT) MIME-Version: 1.0 From: David Rowley Date: Thu, 2 Apr 2026 17:09:00 +1300 X-Gm-Features: AQROBzCDFmOjdtQwdjotTtxZ91uuqBZ7wXveBgpPksxn2dlDXZT0pb-J7QuURXQ Message-ID: Subject: Small and unlikely overflow hazard in bms_next_member() To: PostgreSQL Developers Content-Type: multipart/mixed; boundary="000000000000ef9bc7064e725cbe" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000ef9bc7064e725cbe Content-Type: text/plain; charset="UTF-8" I've been working on bms_left_shift_members() to bitshift members either left or right in order to tidy up some existing code and improve a future Bitmapset use case I'm currently working on. When testing some ERROR code I added to ensure we don't get an excessively large left shift value and end up with members higher than INT32_MAX, I discovered that bms_next_member() can't handle that value, as "prevbit++" will wrap to INT32_MIN and then we'll try to access a negative array index, i.e. seg fault. I appreciate that such a large member is quite unlikely, but if this isn't fixed then I need to code my error checking code to disallow members >= INT32_MAX rather than > INT32_MAX. I did have a comment explaining why I was doing that, but fixing the bug saves the weird special case and the comment. Patched attached. I was thinking it might not be worthy of backpatching, but I'll entertain alternative views on that. David --000000000000ef9bc7064e725cbe Content-Type: application/octet-stream; name="bms_next_member_fix.patch" Content-Disposition: attachment; filename="bms_next_member_fix.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mngy1tt60 ZGlmZiAtLWdpdCBhL3NyYy9iYWNrZW5kL25vZGVzL2JpdG1hcHNldC5jIGIvc3JjL2JhY2tlbmQv bm9kZXMvYml0bWFwc2V0LmMKaW5kZXggNzg2ZjM0M2IzYzkuLjkxMmExYWI2OTZhIDEwMDY0NAot LS0gYS9zcmMvYmFja2VuZC9ub2Rlcy9iaXRtYXBzZXQuYworKysgYi9zcmMvYmFja2VuZC9ub2Rl cy9iaXRtYXBzZXQuYwpAQCAtMTI4OSw2ICsxMjg5LDcgQEAgYm1zX2pvaW4oQml0bWFwc2V0ICph LCBCaXRtYXBzZXQgKmIpCiBpbnQKIGJtc19uZXh0X21lbWJlcihjb25zdCBCaXRtYXBzZXQgKmEs IGludCBwcmV2Yml0KQogeworCWludDY0CQljdXJyYml0OwogCWludAkJCW53b3JkczsKIAliaXRt YXB3b3JkCW1hc2s7CiAKQEAgLTEyOTcsMTMgKzEyOTgsMTMgQEAgYm1zX25leHRfbWVtYmVyKGNv bnN0IEJpdG1hcHNldCAqYSwgaW50IHByZXZiaXQpCiAJaWYgKGEgPT0gTlVMTCkKIAkJcmV0dXJu IC0yOwogCW53b3JkcyA9IGEtPm53b3JkczsKLQlwcmV2Yml0Kys7Ci0JbWFzayA9ICh+KGJpdG1h cHdvcmQpIDApIDw8IEJJVE5VTShwcmV2Yml0KTsKLQlmb3IgKGludCB3b3JkbnVtID0gV09SRE5V TShwcmV2Yml0KTsgd29yZG51bSA8IG53b3Jkczsgd29yZG51bSsrKQorCWN1cnJiaXQgPSAoaW50 NjQpIHByZXZiaXQgKyAxOworCW1hc2sgPSAofihiaXRtYXB3b3JkKSAwKSA8PCBCSVROVU0oY3Vy cmJpdCk7CisJZm9yIChpbnQgd29yZG51bSA9IFdPUkROVU0oY3VycmJpdCk7IHdvcmRudW0gPCBu d29yZHM7IHdvcmRudW0rKykKIAl7CiAJCWJpdG1hcHdvcmQJdyA9IGEtPndvcmRzW3dvcmRudW1d OwogCi0JCS8qIGlnbm9yZSBiaXRzIGJlZm9yZSBwcmV2Yml0ICovCisJCS8qIGlnbm9yZSBiaXRz IGJlZm9yZSBjdXJyYml0ICovCiAJCXcgJj0gbWFzazsKIAogCQlpZiAodyAhPSAwKQo= --000000000000ef9bc7064e725cbe--