Fw: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow
(unknown)
From: violin0613@tju.edu.cn <violin0613@tju.edu.cn>
To: <pgsql-bugs@postgresql.org>
Date: 2026-06-03T16:22:53Z
Lists: pgsql-bugs
---Original---
From: "Noah Misch"<noah@leadboat.com>
Date: Wed, Jun 3, 2026 23:25 PM
To: "王跃林"<violin0613@tju.edu.cn>;
Cc: "security"<security@postgresql.org>;
Subject: Re: heap_force_common in contrib/pg_surgery/heap_surgery.c has an off by one stack buffer overflow
On Sat, May 23, 2026 at 11:56:59AM +0800, 王跃林 wrote:
> PoC
>
> CREATE EXTENSION IF NOT EXISTS pg_surgery
> â
> CREATE TABLE vuln_005_t()
> â
> INSERT INTO vuln_005_t SELECT FROM generate_series(1, 291)
> â
> SELECT heap_force_freeze('vuln_005_t'::regclass,
> ARRAY['(0, 291)']::tid[])
>
> The final statement triggers the bug.
>
> Results
>
> The debug build crashed with:
> TRAP: failed Assert("offno < MaxHeapTuplesPerPage"), File: "heap_surgery.c", Li
> ne: 231
> server closed the connection unexpectedly
>
> In a release build, the assertion is removed and the out of bounds
> write remains.
Thanks for the report. The function is superuser-only, so this is not a vuln.
Please report the overflow bug to pgsql-bugs@postgresql.org.
Commits
-
pg_surgery: Fix off-by-one bug with heap offset
- 1eda3eb0753a 14 (unreleased) landed
- 51f63ba2bf7f 15 (unreleased) landed
- daf8bc7d41ac 16 (unreleased) landed
- 0bcf19c9e8fc 17 (unreleased) landed
- 2b09f8a9110a 18 (unreleased) landed
- 193a4ded9474 19 (unreleased) landed