Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w8Csw-000J8P-2z for pgsql-hackers@arkaria.postgresql.org; Thu, 02 Apr 2026 07:54:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w8Csv-004UN6-11 for pgsql-hackers@arkaria.postgresql.org; Thu, 02 Apr 2026 07:54:37 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w8Csv-004UMy-00 for pgsql-hackers@lists.postgresql.org; Thu, 02 Apr 2026 07:54:37 +0000 Received: from mail-oo1-xc32.google.com ([2607:f8b0:4864:20::c32]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w8Css-00000000A09-3Yr0 for pgsql-hackers@lists.postgresql.org; Thu, 02 Apr 2026 07:54:37 +0000 Received: by mail-oo1-xc32.google.com with SMTP id 006d021491bc7-67e02b821cfso336663eaf.0 for ; Thu, 02 Apr 2026 00:54:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775116473; cv=none; d=google.com; s=arc-20240605; b=VWo78Eb8lbTgDpjXA9P7pNv6NdGfBDeBsTQVEI1vtcYH+A3uI6oBQfdvgKmUEtgJUG ZQW4ohrxpnHoeJKtBWNnceu+s/BwsdHxM0M5U+cv0TOxNJZHbkgsQEWgwcudfPS+ioEC 55ATzJRsQ9Liv/slIkAE8g6Vl5BJNj07v8gFKVlY3unU85OVtLNychnKjCODjbZssKuA +iMnN8c8jBPo/BbL6bG/mhrrvqULPb3jB6aVjYe/JJGHcngyjpd6D8XXRuSpW8o3Vs04 taMHlrRN58fcgaBzefCO0AUsybnShAdzKN6ogMuXnOYKEi++4ATG+ZoFN8gFZrcByq62 aSow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=B+oQOCkBg1DVXp4jYVUIqAFu5Ok5oCDEpqrkDELzw+k=; fh=/grwNyRJp1vK90Hi0BwaCFdYQI2+4p6Kimi7sH5vkzg=; b=BQNYPL1uTBHMM1+LtKm31RzrGZwKHqGntCPIDoZsvVmcbY4aPrVlcA6xdB9pMEnXbf X5mz/pDrVHlUoQPssCaZwVoHSI6EASQl4BNc52pvV6c6S4hfdh4mBkiXPX0UYOtJejFj rUIAbc9rZQFqQ8L8IVsaDECcyZnx8y5z+uRHJ/HRVNVY4BMw8x6SzdZ3UwW/U9TU2h9Z WCR9jqTVGGWsowHAmhbuQopo24b3D2d5zCURx3piGWPggbpSihz2/nVnZ7g/rIKAApAx icRTK4ugdzdGh+cmjheYM5Wg/EWoQl2dtQ+8XRcmQa8us2HM3SQpzbdzpu8QdfsymQf7 OYOw==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775116473; x=1775721273; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=B+oQOCkBg1DVXp4jYVUIqAFu5Ok5oCDEpqrkDELzw+k=; b=ltnIk3xmeRVZfCfJ5sAE0tRXVZ/DcILM9qxSBmgcxmeq9b/99Geio/1FrEJ1u8YmLM TW5k81rKpN8Ca5OkztGKBMEqL1rHIbPL6EDZ/hHMJmK9mtof6Cb5UC6XLHLLBGwcsrPQ nITgaQzw1TXP14hdl/BtdbfT0tXuWj5RjLuVAzIyKjtQWdNhlhq7ChF+POY4m03vbe8a /9FcYL6VR/eOIICpWKRb6eHyKLqN5H9MJ72nDuiAlgVr8bj1XOfeODoqnvD69KcdoPkD dOLHHb1GbfvxFC0KZUKbnSnh7R938T4pqCABaBT++sIquFojFgUxrHCLsvr3MHLrMMK8 O7mA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775116473; x=1775721273; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=B+oQOCkBg1DVXp4jYVUIqAFu5Ok5oCDEpqrkDELzw+k=; b=ae+/PR1ed/nSY5GRV+C1OlWG3Pz4ZLC1TPcoDjSQBXkm2w6B9LJEJI8AaeuwqJec1j 5AhFfeaH5YTS0B0ny8gVb6SM6AuuLK1w480HKUUJRNE/HrgsGItqlJfbUfJ+ctXUSnro KrRXTmvUM7tkqLkvolh+NrjEkcrSOE7nW9uzA9f90giMWOZrSrtQmDHkVl5TuYVzTecV KJsV03k5EO3p/0+o0N3wlbXOdRatC7JwZTyzC0nOwINdJseqnUpUu4avEVu2BHlUZpZr 5fGyz0KKAKfIwmoDehRRsV7NZ650i2zB71FFsreo8lZ+QpNF8uH9SWutXKIwbaZ8quLC /CoA== X-Forwarded-Encrypted: i=1; AJvYcCV6x29J/QoE6bqVCOhPlZPndO5yk/bfCSme0RYgY4yGYjRtGXl1VLC8tX9G2EZFmgaYrvtBppYYajA3HhW6@lists.postgresql.org X-Gm-Message-State: AOJu0Yx+s9EbEqOW0UFH4MNsDRT6HYQVYrBjGs9MfWSWS+YiYCNqt/FD Ngp+91aBAPfZP6OPre/wPF4JVKrvlfCGt9Z/fgQMsRZCYbMwHWi1BrR7Wo04c75ByAALlJpfBVW WV3DmzT/Vhh+pPoKU23F9wVjFGlMYgQU= X-Gm-Gg: ATEYQzzbRDktgSL7T07PbPXRUIhTVlygubkRZbg/ckLZHIHZYeL2Bx0lugEZWv84t1k IDvpR8YJX9oPTBF4SpQ/UQfWuUAXk0cYfRIn7pxey/vCEJwLg1JiNkUbTF3cfqhauO3pJX+eHls WK65OJjv8ImRUKsvI1ePVjVILn3D+kzl17HdPwrlOxMLb4WIpQTLOBEBcPKYHpotXrwKknL/ErZ I/XYhgx3LVh37uIvVNpKCeCJj+ee5tVrgTG2FK/XjO4Xx2Cqil++cHVAirVgRQgQe9ChL4BdAt+ JPL1Wn5rkDnWnugo7g== X-Received: by 2002:a05:6820:2d03:b0:67e:16b4:aa14 with SMTP id 006d021491bc7-67fabc53bc3mr3407122eaf.28.1775116472984; Thu, 02 Apr 2026 00:54:32 -0700 (PDT) MIME-Version: 1.0 References: <0BF8BC4F-ED7D-445F-8BB3-2336F1E17CB4@gmail.com> In-Reply-To: <0BF8BC4F-ED7D-445F-8BB3-2336F1E17CB4@gmail.com> From: jie wang Date: Thu, 2 Apr 2026 15:54:18 +0800 X-Gm-Features: AQROBzAZmk7dXSy-wg7A_jwJA3sdhmACLU9XnEHT4On9RR5ryfWEtXFDJlOP7Wg Message-ID: Subject: Re: Small and unlikely overflow hazard in bms_next_member() To: Chao Li Cc: David Rowley , PostgreSQL Developers Content-Type: multipart/alternative; boundary="000000000000cea9e3064e7582bc" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000cea9e3064e7582bc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Chao Li =E4=BA=8E2026=E5=B9=B44=E6=9C=882=E6=97=A5= =E5=91=A8=E5=9B=9B 14:39=E5=86=99=E9=81=93=EF=BC=9A > > > > On Apr 2, 2026, at 12:09, David Rowley wrote: > > > > I've been working on bms_left_shift_members() to bitshift members > > either left or right in order to tidy up some existing code and > > improve a future Bitmapset use case I'm currently working on. > > > > When testing some ERROR code I added to ensure we don't get an > > excessively large left shift value and end up with members higher than > > INT32_MAX, I discovered that bms_next_member() can't handle that > > value, as "prevbit++" will wrap to INT32_MIN and then we'll try to > > access a negative array index, i.e. seg fault. > > > > I appreciate that such a large member is quite unlikely, but if this > > isn't fixed then I need to code my error checking code to disallow > > members >=3D INT32_MAX rather than > INT32_MAX. I did have a comment > > explaining why I was doing that, but fixing the bug saves the weird > > special case and the comment. > > > > Patched attached. I was thinking it might not be worthy of > > backpatching, but I'll entertain alternative views on that. > > > > David > > > > Both the return value of bms_next_member() and the parameter =E2=80=9Cpre= vbit" are > defined as int, which seems to imply that a bitmap can hold at most > INT32_MAX elements. So I wonder if a cleaner fix would be to just add a > range guard, like this: > > ``` > diff --git a/src/backend/nodes/bitmapset.c b/src/backend/nodes/bitmapset.= c > index 786f343b3c9..7f79f81f278 100644 > --- a/src/backend/nodes/bitmapset.c > +++ b/src/backend/nodes/bitmapset.c > @@ -1294,7 +1294,7 @@ bms_next_member(const Bitmapset *a, int prevbit) > > Assert(bms_is_valid_set(a)); > > - if (a =3D=3D NULL) > + if (a =3D=3D NULL || prevbit =3D=3D INT32_MAX) > return -2; > nwords =3D a->nwords; > prevbit++; > ``` > > Best regards, > -- > Chao Li (Evan) > HighGo Software Co., Ltd. > https://www.highgo.com/ > > > > > > > Hi, The both solutions look good to me. I am slightly keen on Chao's version that looks simpler to me. Thanks! wang jie --000000000000cea9e3064e7582bc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


Chao Li <li.evan.chao@gmail.com> =E4= =BA=8E2026=E5=B9=B44=E6=9C=882=E6=97=A5=E5=91=A8=E5=9B=9B 14:39=E5=86=99=E9= =81=93=EF=BC=9A
=

> On Apr 2, 2026, at 12:09, David Rowley <dgrowleyml@gmail.com> wrote:
>
> I've been working on bms_left_shift_members() to bitshift members<= br> > either left or right in order to tidy up some existing code and
> improve a future Bitmapset use case I'm currently working on.
>
> When testing some ERROR code I added to ensure we don't get an
> excessively large left shift value and end up with members higher than=
> INT32_MAX, I discovered that bms_next_member() can't handle that > value, as "prevbit++" will wrap to INT32_MIN and then we'= ;ll try to
> access a negative array index, i.e. seg fault.
>
> I appreciate that such a large member is quite unlikely, but if this > isn't fixed then I need to code my error checking code to disallow=
> members >=3D INT32_MAX rather than > INT32_MAX. I did have a com= ment
> explaining why I was doing that, but fixing the bug saves the weird > special case and the comment.
>
> Patched attached. I was thinking it might not be worthy of
> backpatching, but I'll entertain alternative views on that.
>
> David
> <bms_next_member_fix.patch>

Both the return value of bms_next_member() and the parameter =E2=80=9Cprevb= it" are defined as int, which seems to imply that a bitmap can hold at= most INT32_MAX elements. So I wonder if a cleaner fix would be to just add= a range guard, like this:

```
diff --git a/src/backend/nodes/bitmapset.c b/src/backend/nodes/bitmapset.c<= br> index 786f343b3c9..7f79f81f278 100644
--- a/src/backend/nodes/bitmapset.c
+++ b/src/backend/nodes/bitmapset.c
@@ -1294,7 +1294,7 @@ bms_next_member(const Bitmapset *a, int prevbit)

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Assert(bms_is_valid_set(a));

-=C2=A0 =C2=A0 =C2=A0 =C2=A0if (a =3D=3D NULL)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0if (a =3D=3D NULL || prevbit =3D=3D INT32_MAX)<= br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return -2;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 nwords =3D a->nwords;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 prevbit++;
```

Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
ht= tps://www.highgo.com/







Hi,

The both = solutions look good to me. I am slightly keen on Chao's version that lo= oks simpler to me.

Thanks!
wang jie
--000000000000cea9e3064e7582bc--