On Aug 14 2025, at 11:37 am, Greg Burd <g...@burd.me> wrote: > > On Aug 14 2025, at 11:14 am, Tom Lane <t...@sss.pgh.pa.us> wrote: > >> David Rowley <dgrowle...@gmail.com> writes: >>> It is valid to pass prevbit as a->nwords * BITS_PER_BITMAPWORD as the >>> code does "prevbit--;". Maybe it would be less confusing if it were >>> written as: >>> * "prevbit" must be less than or equal to "a->nwords * >>> BITS_PER_BITMAPWORD". >>> The Assert should be using <= rather than <. >> >> Actually, I don't agree with that. It's true that it wouldn't fail, >> but a caller doing that is exhibiting undue intimacy with the innards >> of Bitmapsets. The expected usage is that the argument is initially >> -1 and after that the result of the previous call (which'll >> necessarily be less than a->nwords * BITS_PER_BITMAPWORD). We don't >> have any state with which we can verify the chain of calls, but it >> seems totally reasonable to me to disallow an outside caller >> providing an argument >= a->nwords * BITS_PER_BITMAPWORD. >> >> regards, tom lane > > > Thanks Tom, David, > > Seems I also forgot about the case where the Bitmapset passed is NULL. > The new assert needs to handle that as well. > > -greg
Well, that was rushed. Apologies. -greg
v4-0001-Prevent-bms_prev_member-from-reading-beyond-the-e.patch
Description: Binary data
