From: David Rowley <drowley@postgresql.org>
Date: Sat, 18 Oct 2025 03:07:04 +0000 (+1300)
Subject: Fix reset of incorrect hash iterator in GROUPING SETS queries
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5c0a20003b4396930a354105ccf47402ca5047d2;p=thirdparty%2Fpostgresql.git

Fix reset of incorrect hash iterator in GROUPING SETS queries

This fixes an unlikely issue when fetching GROUPING SET results from
their internally stored hash tables.  It was possible in rare cases that
the hash iterator would be set up incorrectly which could result in a
crash.

This was introduced in 4d143509c, so backpatch to v18.

Many thanks to Yuri Zamyatin for reporting and helping to debug this
issue.

Bug: #19078
Reported-by: Yuri Zamyatin <yuri@yrz.am>
Author: David Rowley <dgrowleyml@gmail.com>
Reviewed-by: Jeff Davis <pgsql@j-davis.com>
Discussion: https://postgr.es/m/19078-dfd62f840a2c0766@postgresql.org
Backpatch-through: 18
---

diff --git a/src/backend/executor/nodeAgg.c b/src/backend/executor/nodeAgg.c
index a4f3d30f307..64643c3943a 100644
--- a/src/backend/executor/nodeAgg.c
+++ b/src/backend/executor/nodeAgg.c
@@ -2911,7 +2911,7 @@ agg_retrieve_hash_table_in_memory(AggState *aggstate)
 
 				perhash = &aggstate->perhash[aggstate->current_set];
 
-				ResetTupleHashIterator(hashtable, &perhash->hashiter);
+				ResetTupleHashIterator(perhash->hashtable, &perhash->hashiter);
 
 				continue;
 			}
diff --git a/src/include/lib/simplehash.h b/src/include/lib/simplehash.h
index 327274c2340..9622131ede6 100644
--- a/src/include/lib/simplehash.h
+++ b/src/include/lib/simplehash.h
@@ -1044,6 +1044,10 @@ SH_START_ITERATE_AT(SH_TYPE * tb, SH_ITERATOR * iter, uint32 at)
 SH_SCOPE	SH_ELEMENT_TYPE *
 SH_ITERATE(SH_TYPE * tb, SH_ITERATOR * iter)
 {
+	/* validate sanity of the given iterator */
+	Assert(iter->cur < tb->size);
+	Assert(iter->end < tb->size);
+
 	while (!iter->done)
 	{
 		SH_ELEMENT_TYPE *elem;