pg_surgery: Fix off-by-one bug with heap offset

heap_force_common() declared a boolean array indexed with an
OffsetNumber for a size of MaxHeapTuplesPerPage.  OffsetNumbers are
1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage
wrote one byte past the end of the stack array, crashing the server.

Like heapam_handler.c, this commit changes the array so as it uses a
0-based index, substracting one from the OffsetNumbers.

Reported-by: Wang Yuelin <violin0613@tju.edu.cn>
Reviewed-by: Ashutosh Sharma <ashu.coek88@gmail.com>
Discussion: https://postgr.es/m/20260604002256.40f1fd544@smtp.qiye.163.com
Backpatch-through: 14

diff --git a/contrib/pg_surgery/heap_surgery.c b/contrib/pg_surgery/heap_surgery.c
index 88a40ab7d39b8043eead48b254231758a7f66cac..b159f316619dc81b7fafbba05d305064bff737a6 100644 (file)
--- a/contrib/pg_surgery/heap_surgery.c
+++ b/contrib/pg_surgery/heap_surgery.c
@@ -225,8 +225,8 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleForceOption heap_force_opt)
                        }
 
                        /* Mark it for processing. */
-                       Assert(offno < MaxHeapTuplesPerPage);
-                       include_this_tid[offno] = true;
+                       Assert(offno <= MaxHeapTuplesPerPage);
+                       include_this_tid[offno - 1] = true;
                }
 
                /*
@@ -244,7 +244,7 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleForceOption heap_force_opt)
                {
                        ItemId          itemid;
 
-                       if (!include_this_tid[curoff])
+                       if (!include_this_tid[curoff - 1])
                                continue;
 
                        itemid = PageGetItemId(page, curoff);