From 09a8407dbfd848301cd2c9801c3b4d75adc6cabc Mon Sep 17 00:00:00 2001 From: Peter Geoghegan Date: Mon, 26 Aug 2024 11:29:15 -0400 Subject: [PATCH] Fix nbtree lookahead overflow bug. Add bounds checking to nbtree's lookahead/skip-within-a-page mechanism. Otherwise it's possible for cases with lots of before-array-keys tuples to overflow an int16 variable, causing the mechanism to generate an out of bounds page offset number. Oversight in commit 5bf748b8, which enhanced nbtree ScalarArrayOp execution. Reported-By: Alexander Lakhin Discussion: https://postgr.es/m/6c68ac42-bbb5-8b24-103e-af0e279c536f@gmail.com Backpatch: 17-, where nbtree SAOP execution was enhanced. --- src/backend/access/nbtree/nbtutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/access/nbtree/nbtutils.c b/src/backend/access/nbtree/nbtutils.c index d6de2072d40..c22ccec789d 100644 --- a/src/backend/access/nbtree/nbtutils.c +++ b/src/backend/access/nbtree/nbtutils.c @@ -4091,7 +4091,7 @@ _bt_checkkeys_look_ahead(IndexScanDesc scan, BTReadPageState *pstate, */ if (!pstate->targetdistance) pstate->targetdistance = LOOK_AHEAD_DEFAULT_DISTANCE; - else + else if (pstate->targetdistance < MaxIndexTuplesPerPage / 2) pstate->targetdistance *= 2; /* Don't read past the end (or before the start) of the page, though */