Re: Small and unlikely overflow hazard in bms_next_member()
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: David Rowley <dgrowleyml@gmail.com>
Cc: PostgreSQL Developers <pgsql-hackers@lists.postgresql.org>
Date: 2026-04-02T04:22:48Z
Lists: pgsql-hackers
David Rowley <dgrowleyml@gmail.com> writes: > When testing some ERROR code I added to ensure we don't get an > excessively large left shift value and end up with members higher than > INT32_MAX, I discovered that bms_next_member() can't handle that > value, as "prevbit++" will wrap to INT32_MIN and then we'll try to > access a negative array index, i.e. seg fault. > I appreciate that such a large member is quite unlikely, I think it's impossible, and if it's not then this is not the only place in bitmapset.c that could theoretically overflow. As an example, bms_prev_member does Assert(prevbit <= a->nwords * BITS_PER_BITMAPWORD); but if the bitmapset were large enough to accommodate INT_MAX as a member then a->nwords * BITS_PER_BITMAPWORD must overflow. I don't think we should add cycles here for this purpose. If it makes you feel better, maybe add Asserts to bms_make_singleton and bms_add_member to constrain the maximum member value to somewhat less than INT_MAX? regards, tom lane
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix unlikely overflow bug in bms_next_member()
- e3e26d04bd52 19 (unreleased) landed