From 2b09f8a9110a5de217fa59dfb3215686def7dc36 Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Sat, 6 Jun 2026 08:16:40 +0900 Subject: [PATCH] pg_surgery: Fix off-by-one bug with heap offset heap_force_common() declared a boolean array indexed with an OffsetNumber for a size of MaxHeapTuplesPerPage. OffsetNumbers are 1-based, so an input TID whose offset number equals MaxHeapTuplesPerPage wrote one byte past the end of the stack array, crashing the server. Like heapam_handler.c, this commit changes the array so as it uses a 0-based index, substracting one from the OffsetNumbers. Reported-by: Wang Yuelin Reviewed-by: Ashutosh Sharma Discussion: https://postgr.es/m/20260604002256.40f1fd544@smtp.qiye.163.com Backpatch-through: 14 --- contrib/pg_surgery/heap_surgery.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/pg_surgery/heap_surgery.c b/contrib/pg_surgery/heap_surgery.c index 3e86283beb7..602aca66c60 100644 --- a/contrib/pg_surgery/heap_surgery.c +++ b/contrib/pg_surgery/heap_surgery.c @@ -228,8 +228,8 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleForceOption heap_force_opt) } /* Mark it for processing. */ - Assert(offno < MaxHeapTuplesPerPage); - include_this_tid[offno] = true; + Assert(offno <= MaxHeapTuplesPerPage); + include_this_tid[offno - 1] = true; } /* @@ -247,7 +247,7 @@ heap_force_common(FunctionCallInfo fcinfo, HeapTupleForceOption heap_force_opt) { ItemId itemid; - if (!include_this_tid[curoff]) + if (!include_this_tid[curoff - 1]) continue; itemid = PageGetItemId(page, curoff);