From fdad0b081d6b1de76a12fb79e5c18ae109bd008d Mon Sep 17 00:00:00 2001
From: Greg Burd <greg@burd.me>
Date: Wed, 13 Aug 2025 14:25:26 -0400
Subject: [PATCH v5] Prevent bms_prev_member() from reading beyond the end of
 the map

Assert when prevbit would read beyond the end of the words array
enforcing the requirement in the comment that it be within the
current capacity of the Bitmapset.
---
 src/backend/nodes/bitmapset.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/backend/nodes/bitmapset.c b/src/backend/nodes/bitmapset.c
index bf512cf806f..5c8a5b74f12 100644
--- a/src/backend/nodes/bitmapset.c
+++ b/src/backend/nodes/bitmapset.c
@@ -1343,7 +1343,7 @@ bms_next_member(const Bitmapset *a, int prevbit)
  *
  * Returns largest member less than "prevbit", or -2 if there is none.
  * "prevbit" must NOT be more than one above the highest possible bit that can
- * be set at the Bitmapset at its current size.
+ * be set in the Bitmapset at its current size.
  *
  * To ease finding the highest set bit for the initial loop, the special
  * prevbit value of -1 can be passed to have the function find the highest
@@ -1379,6 +1379,9 @@ bms_prev_member(const Bitmapset *a, int prevbit)
 	if (a == NULL || prevbit == 0)
 		return -2;
 
+	/* Validate callers didn't give us something out of range */
+	Assert(prevbit <= a->nwords * BITS_PER_BITMAPWORD);
+
 	/* transform -1 to the highest possible bit we could have set */
 	if (prevbit == -1)
 		prevbit = a->nwords * BITS_PER_BITMAPWORD - 1;
-- 
2.49.0