From dd7a99c8e83be7601a6b12bad6c2f55f181f1523 Mon Sep 17 00:00:00 2001
From: Ayush Tiwari <ayushtiwari.slg01@gmail.com>
Date: Mon, 29 Jun 2026 06:55:53 +0000
Subject: [PATCH v1] Make buffer-descriptor accessors take signed int and
 assert range

GetBufferDescriptor() and GetLocalBufferDescriptor() took a uint32 id, so
a negative buffer id (such as a local buffer's buffer-1) silently wrapped
to a huge value and indexed out of bounds, returning a bogus descriptor
instead of failing.  MarkBufferDirtyHint() relied on the result being
unused for local buffers, but it was undefined behavior nonetheless.

Switch both accessors to a signed int and assert 0 <= id < NBuffers /
NLocBuffer so a bad id trips immediately instead of silently aliasing a
valid descriptor.

Discussion: https://postgr.es/m/CAExHW5uzRMYVZsXXS3HXXT0fG_sNrpUhUqwP4NorhaCqH9JDhA@mail.gmail.com
---
 src/include/storage/buf_internals.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/include/storage/buf_internals.h b/src/include/storage/buf_internals.h
index 89615a254a3..7b13ec0dc74 100644
--- a/src/include/storage/buf_internals.h
+++ b/src/include/storage/buf_internals.h
@@ -419,14 +419,18 @@ extern PGDLLIMPORT BufferDesc *LocalBufferDescriptors;
 
 
 static inline BufferDesc *
-GetBufferDescriptor(uint32 id)
+GetBufferDescriptor(int id)
 {
+	Assert(id >= 0 && id < NBuffers);
+
 	return &(BufferDescriptors[id]).bufferdesc;
 }
 
 static inline BufferDesc *
-GetLocalBufferDescriptor(uint32 id)
+GetLocalBufferDescriptor(int id)
 {
+	Assert(id >= 0 && id < NLocBuffer);
+
 	return &LocalBufferDescriptors[id];
 }
 
-- 
2.43.0

