Quick Links

[PATCH] bms_prev_member() can read beyond the end of the array of allocated words

From:	Greg Burd <greg(at)burd(dot)me>
To:	PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject:	[PATCH] bms_prev_member() can read beyond the end of the array of allocated words
Date:	2025-08-14 13:20:45
Message-ID:	2000A717-1FFE-4031-827B-9330FB2E9065@getmailspring.com
Views:	Whole Thread \| Raw Message \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Hello,

I've been working on Bitmapset and while creating a test suite for it I
found that there is a missing bounds check in bms_prev_member(). The
function takes the prevbit argument and converts it to an index into the
words array using WORDNUM() without checking to ensure that prevbit is
within the bounds of the possible values (e.g. nwords *
BITS_PER_BITMAPWORD) in the set. This means that $subject resulting in
a confusing return value when the expected value should be the highest
bit set.

The patch attached adds a bounds check preventing this.

-greg

Attachment	Content-Type	Size
v1-0001-Prevent-bms_prev_member-from-reading-beyond-the-e.patch	application/octet-stream	1.2 KB

Responses

Re: [PATCH] bms_prev_member() can read beyond the end of the array of allocated words at 2025-08-14 13:46:55 from David Rowley

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Aleksander Alekseev	2025-08-14 13:29:09	Re: cfbot mistakenly reports that a rebase is needed
Previous Message	Heikki Linnakangas	2025-08-14 13:10:51	Re: BackendKeyData is mandatory?