From c9182699ad3c679fb47e3211398d5ed56e4a4b6b Mon Sep 17 00:00:00 2001 From: Greg Burd Date: Wed, 13 Aug 2025 14:25:26 -0400 Subject: [PATCH v2] Prevent bms_prev_member() from reading beyond the end of the map Assert when prevbit would read beyond the end of the words array enforcing the requirement in the comment that it be less than the capacity of the Bitmapset. --- src/backend/nodes/bitmapset.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/backend/nodes/bitmapset.c b/src/backend/nodes/bitmapset.c index bf512cf806f..8111e81e9a3 100644 --- a/src/backend/nodes/bitmapset.c +++ b/src/backend/nodes/bitmapset.c @@ -1342,8 +1342,8 @@ bms_next_member(const Bitmapset *a, int prevbit) * bms_prev_member - find prev member of a set * * Returns largest member less than "prevbit", or -2 if there is none. - * "prevbit" must NOT be more than one above the highest possible bit that can - * be set at the Bitmapset at its current size. + * "prevbit" must NOT be greater than the highest possible bit that can be set + * in the Bitmapset at its current size. * * To ease finding the highest set bit for the initial loop, the special * prevbit value of -1 can be passed to have the function find the highest @@ -1371,6 +1371,7 @@ bms_prev_member(const Bitmapset *a, int prevbit) bitmapword mask; Assert(bms_is_valid_set(a)); + Assert(prevbit < a->nwords * BITS_PER_BITMAPWORD); /* * If set is NULL or if there are no more bits to the right then we've -- 2.49.0