From 5c0a20003b4396930a354105ccf47402ca5047d2 Mon Sep 17 00:00:00 2001 From: David Rowley Date: Sat, 18 Oct 2025 16:07:04 +1300 Subject: [PATCH] Fix reset of incorrect hash iterator in GROUPING SETS queries This fixes an unlikely issue when fetching GROUPING SET results from their internally stored hash tables. It was possible in rare cases that the hash iterator would be set up incorrectly which could result in a crash. This was introduced in 4d143509c, so backpatch to v18. Many thanks to Yuri Zamyatin for reporting and helping to debug this issue. Bug: #19078 Reported-by: Yuri Zamyatin Author: David Rowley Reviewed-by: Jeff Davis Discussion: https://postgr.es/m/19078-dfd62f840a2c0766@postgresql.org Backpatch-through: 18 --- src/backend/executor/nodeAgg.c | 2 +- src/include/lib/simplehash.h | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/backend/executor/nodeAgg.c b/src/backend/executor/nodeAgg.c index a4f3d30f307..64643c3943a 100644 --- a/src/backend/executor/nodeAgg.c +++ b/src/backend/executor/nodeAgg.c @@ -2911,7 +2911,7 @@ agg_retrieve_hash_table_in_memory(AggState *aggstate) perhash = &aggstate->perhash[aggstate->current_set]; - ResetTupleHashIterator(hashtable, &perhash->hashiter); + ResetTupleHashIterator(perhash->hashtable, &perhash->hashiter); continue; } diff --git a/src/include/lib/simplehash.h b/src/include/lib/simplehash.h index 327274c2340..9622131ede6 100644 --- a/src/include/lib/simplehash.h +++ b/src/include/lib/simplehash.h @@ -1044,6 +1044,10 @@ SH_START_ITERATE_AT(SH_TYPE * tb, SH_ITERATOR * iter, uint32 at) SH_SCOPE SH_ELEMENT_TYPE * SH_ITERATE(SH_TYPE * tb, SH_ITERATOR * iter) { + /* validate sanity of the given iterator */ + Assert(iter->cur < tb->size); + Assert(iter->end < tb->size); + while (!iter->done) { SH_ELEMENT_TYPE *elem;