pg_surgery: Fix off-by-one bug with heap offset

heap_force_common() declared a boolean array indexed with an OffsetNumber for a size of MaxHeapTuplesPerPage. OffsetNumbers are 1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage wrote one byte past the end of the stack array, crashing the server. Like heapam_handler.c, this commit changes the array so as it uses a 0-based index, substracting one from the OffsetNumbers. Reported-by: Wang Yuelin <violin0613@tju.edu.cn> Reviewed-by: Ashutosh Sharma <ashu.coek88@gmail.com> Discussion: https://postgr.es/m/20260604002256.40f1fd544@smtp.qiye.163.com Backpatch-through: 14
2026-06-13 10:40:09 -04:00 · 2026-06-06 08:16:46 +09:00 · 2026-06-06 08:16:46 +09:00 · 1eda3eb075
commit 1eda3eb075
parent 5b72d0279b
1 changed files with 3 additions and 3 deletions
--- a/contrib/pg_surgery/heap_surgery.c
+++ b/contrib/pg_surgery/heap_surgery.c
@ -206,8 +206,8 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleForceOption heap_force_opt)
 			}

 			/* Mark it for processing. */
-			Assert(offno < MaxHeapTuplesPerPage);
-			include_this_tid[offno] = true;
+			Assert(offno <= MaxHeapTuplesPerPage);
+			include_this_tid[offno - 1] = true;
 		}

 		/*
@ -225,7 +225,7 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleForceOption heap_force_opt)
 		{
 			ItemId		itemid;

-			if (!include_this_tid[curoff])
+			if (!include_this_tid[curoff - 1])
 				continue;

 			itemid = PageGetItemId(page, curoff);