From dd7a99c8e83be7601a6b12bad6c2f55f181f1523 Mon Sep 17 00:00:00 2001 From: Ayush Tiwari Date: Mon, 29 Jun 2026 06:55:53 +0000 Subject: [PATCH v1] Make buffer-descriptor accessors take signed int and assert range GetBufferDescriptor() and GetLocalBufferDescriptor() took a uint32 id, so a negative buffer id (such as a local buffer's buffer-1) silently wrapped to a huge value and indexed out of bounds, returning a bogus descriptor instead of failing. MarkBufferDirtyHint() relied on the result being unused for local buffers, but it was undefined behavior nonetheless. Switch both accessors to a signed int and assert 0 <= id < NBuffers / NLocBuffer so a bad id trips immediately instead of silently aliasing a valid descriptor. Discussion: https://postgr.es/m/CAExHW5uzRMYVZsXXS3HXXT0fG_sNrpUhUqwP4NorhaCqH9JDhA@mail.gmail.com --- src/include/storage/buf_internals.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/include/storage/buf_internals.h b/src/include/storage/buf_internals.h index 89615a254a3..7b13ec0dc74 100644 --- a/src/include/storage/buf_internals.h +++ b/src/include/storage/buf_internals.h @@ -419,14 +419,18 @@ extern PGDLLIMPORT BufferDesc *LocalBufferDescriptors; static inline BufferDesc * -GetBufferDescriptor(uint32 id) +GetBufferDescriptor(int id) { + Assert(id >= 0 && id < NBuffers); + return &(BufferDescriptors[id]).bufferdesc; } static inline BufferDesc * -GetLocalBufferDescriptor(uint32 id) +GetLocalBufferDescriptor(int id) { + Assert(id >= 0 && id < NLocBuffer); + return &LocalBufferDescriptors[id]; } -- 2.43.0