Fw: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow

(unknown)

From: violin0613@tju.edu.cn <violin0613@tju.edu.cn>
To: <pgsql-bugs@postgresql.org>
Date: 2026-06-03T16:22:53Z
Lists: pgsql-bugs
  



  




  
    ---Original---
  
  
    
      From: "Noah Misch"<noah@leadboat.com>
    
    
      Date: Wed, Jun 3, 2026 23:25 PM
    
    
      To: "王跃林"<violin0613@tju.edu.cn>;
    
    
      Cc: "security"<security@postgresql.org>;
    
    
      Subject: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow
    
  

  On Sat, May 23, 2026 at 11:56:59AM +0800, 王跃林 wrote:

  > PoC

  > 

  >  CREATE EXTENSION IF NOT EXISTS pg_surgery

  >  â

  >  CREATE TABLE vuln_005_t()

  >  â

  >  INSERT INTO vuln_005_t SELECT FROM generate_series(1, 291)

  >  â

  >  SELECT heap_force_freeze('vuln_005_t'::regclass,

  >                           ARRAY['(0, 291)']::tid[])

  > 

  >    The final statement triggers the bug.

  > 

  > Results

  > 

  >    The debug build crashed with:

  >  TRAP: failed Assert("offno < MaxHeapTuplesPerPage"), File: "heap_surgery.c", Li

  > ne: 231

  >  server closed the connection unexpectedly

  > 

  >    In a release build, the assertion is removed and the out of bounds

  >    write remains.

  

  Thanks for the report.  The function is superuser-only, so this is not a vuln.

  Please report the overflow bug to pgsql-bugs@postgresql.org.

  

  


Commits

  1. pg_surgery: Fix off-by-one bug with heap offset