Fix overflow danger in SampleHeapTupleVisible()

68d9662be1c4b70 made HeapScanDesc->rs_ntuples unsigned but neglected to change how it was being used in SampleHeapTupleVisible(). Return early if rs_ntuples is 0 to avoid overflowing and incorrectly executing the loop code in SampleHeapTupleVisible(). Reported-by: Ranier Vilela Discussion: https://postgr.es/m/CAEudQAot_xQoZyPZjpj1aBUPrPykY5mOPHGyvfe%3Djz%2BWowdA3A%40mail.gmail.com
2025-05-29 16:21:20 +03:00 · 2024-12-18 18:16:43 -05:00 · 2024-12-18 18:16:43 -05:00 · 28328ec87b
commit 28328ec87b
parent 68d9662be1
1 changed files with 9 additions and 3 deletions
--- a/src/backend/access/heap/heapam_handler.c
+++ b/src/backend/access/heap/heapam_handler.c
@ -2577,6 +2577,12 @@ SampleHeapTupleVisible(TableScanDesc scan, Buffer buffer,

 	if (scan->rs_flags & SO_ALLOW_PAGEMODE)
 	{
+		uint32		start,
+					end;
+
+		if (hscan->rs_ntuples == 0)
+			return false;
+
 		/*
 		 * In pageatatime mode, heap_prepare_pagescan() already did visibility
 		 * checks, so just look at the info it left in rs_vistuples[].
@ -2586,12 +2592,12 @@ SampleHeapTupleVisible(TableScanDesc scan, Buffer buffer,
 		 * in increasing order, but it's not clear that there would be enough
 		 * gain to justify the restriction.
 		 */
-		int			start = 0,
-					end = hscan->rs_ntuples - 1;
+		start = 0;
+		end = hscan->rs_ntuples - 1;

 		while (start <= end)
 		{
-			int			mid = (start + end) / 2;
+			uint32		mid = (start + end) / 2;
 			OffsetNumber curoffset = hscan->rs_vistuples[mid];

 			if (tupoffset == curoffset)