| From: | David Rowley <dgrowleyml(at)gmail(dot)com> |
|---|---|
| To: | Greg Burd <greg(at)burd(dot)me> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: [PATCH] bms_prev_member() can read beyond the end of the array of allocated words |
| Date: | 2025-08-14 13:46:55 |
| Message-ID: | CAApHDvpOwmEa46bJurnCsp-Ug8A8mnmbJt+bn9txBUg3SGbNZg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, 15 Aug 2025 at 01:21, Greg Burd <greg(at)burd(dot)me> wrote:
> I've been working on Bitmapset and while creating a test suite for it I
> found that there is a missing bounds check in bms_prev_member(). The
> function takes the prevbit argument and converts it to an index into the
> words array using WORDNUM() without checking to ensure that prevbit is
> within the bounds of the possible values (e.g. nwords *
> BITS_PER_BITMAPWORD) in the set. This means that $subject resulting in
> a confusing return value when the expected value should be the highest
> bit set.
There's a comment saying:
* "prevbit" must NOT be more than one above the highest possible bit that can
* be set at the Bitmapset at its current size.
So looks like it's the fault of the calling code and not an issue with
bms_prev_member().
David
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-08-14 14:00:37 | Re: Compilation issues for HASH_STATISTICS and HASH_DEBUG options |
| Previous Message | David Rowley | 2025-08-14 13:40:53 | Re: Compilation issues for HASH_STATISTICS and HASH_DEBUG options |