From: Thomas Munro Date: Thu, 26 Jan 2023 01:50:07 +0000 (+1300) Subject: Fix rare sharedtuplestore.c corruption. X-Git-Tag: REL_11_19~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d95dcc9ab5f8816c7a4ac591628c68efaa2a9b7a;p=thirdparty%2Fpostgresql.git Fix rare sharedtuplestore.c corruption. If the final chunk of an oversized tuple being written out to disk was exactly 32760 bytes, it would be corrupted due to a fencepost bug. Bug #17619. Back-patch to 11 where the code arrived. While testing that (see test module in archives), I (tmunro) noticed that the per-participant page counter was not initialized to zero as it should have been; that wasn't a live bug when it was written since DSM memory was originally always zeroed, but since 14 min_dynamic_shared_memory might be configured and it supplies non-zeroed memory, so that is also fixed here. Author: Dmitry Astapov Discussion: https://postgr.es/m/17619-0de62ceda812b8b5%40postgresql.org --- diff --git a/src/backend/utils/sort/sharedtuplestore.c b/src/backend/utils/sort/sharedtuplestore.c index d2555c2c3ba..b9e801d6e11 100644 --- a/src/backend/utils/sort/sharedtuplestore.c +++ b/src/backend/utils/sort/sharedtuplestore.c @@ -160,6 +160,7 @@ sts_initialize(SharedTuplestore *sts, int participants, LWLockInitialize(&sts->participants[i].lock, LWTRANCHE_SHARED_TUPLESTORE); sts->participants[i].read_page = 0; + sts->participants[i].npages = 0; sts->participants[i].writing = false; } @@ -321,7 +322,7 @@ sts_puttuple(SharedTuplestoreAccessor *accessor, void *meta_data, /* Do we have space? */ size = accessor->sts->meta_data_size + tuple->t_len; - if (accessor->write_pointer + size >= accessor->write_end) + if (accessor->write_pointer + size > accessor->write_end) { if (accessor->write_chunk == NULL) { @@ -341,7 +342,7 @@ sts_puttuple(SharedTuplestoreAccessor *accessor, void *meta_data, } /* It may still not be enough in the case of a gigantic tuple. */ - if (accessor->write_pointer + size >= accessor->write_end) + if (accessor->write_pointer + size > accessor->write_end) { size_t written;