From: Michael Paquier Date: Fri, 5 Jun 2026 23:16:44 +0000 (+0900) Subject: pg_surgery: Fix off-by-one bug with heap offset X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=51f63ba2bf7f4a619f9e4251450ee462ba8505dc;p=thirdparty%2Fpostgresql.git pg_surgery: Fix off-by-one bug with heap offset heap_force_common() declared a boolean array indexed with an OffsetNumber for a size of MaxHeapTuplesPerPage. OffsetNumbers are 1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage wrote one byte past the end of the stack array, crashing the server. Like heapam_handler.c, this commit changes the array so as it uses a 0-based index, substracting one from the OffsetNumbers. Reported-by: Wang Yuelin Reviewed-by: Ashutosh Sharma Discussion: https://postgr.es/m/20260604002256.40f1fd544@smtp.qiye.163.com Backpatch-through: 14 --- diff --git a/contrib/pg_surgery/heap_surgery.c b/contrib/pg_surgery/heap_surgery.c index 3e641aa6440..934b1d0ec21 100644 --- a/contrib/pg_surgery/heap_surgery.c +++ b/contrib/pg_surgery/heap_surgery.c @@ -224,8 +224,8 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleForceOption heap_force_opt) } /* Mark it for processing. */ - Assert(offno < MaxHeapTuplesPerPage); - include_this_tid[offno] = true; + Assert(offno <= MaxHeapTuplesPerPage); + include_this_tid[offno - 1] = true; } /* @@ -243,7 +243,7 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleForceOption heap_force_opt) { ItemId itemid; - if (!include_this_tid[curoff]) + if (!include_this_tid[curoff - 1]) continue; itemid = PageGetItemId(page, curoff);