Hi,
The var OffsetNumber maxoff it's like uint16, see at include/storage/off.h
typedef uint16 OffsetNumber;
Within the function _bt_afternewitemoff, at line 641, maxoff is used in an
dangerous expression,
without protection.: (maxoff - 1)
The function: PageGetMaxOffsetNumber that initializes maxoff, can return zero.
See at storage/bufpage.h
* PageGetMaxOffsetNumber
* Returns the maximum offset number used by the given page.
* Since offset numbers are 1-based, this is also the number
* of items on the page.
*
* NOTE: if the page is not initialized (pd_lower == 0), we must
* return zero to ensure sane behavior. Accept double evaluation
* of the argument so that we can ensure this.
Surely not the best solution, but it was the best I could think of.
best regards.
Ranier Vilela
diff --git a/src/backend/access/nbtree/nbtsplitloc.c b/src/backend/access/nbtree/nbtsplitloc.c
index a04d4e25d6..2bff486940 100644
--- a/src/backend/access/nbtree/nbtsplitloc.c
+++ b/src/backend/access/nbtree/nbtsplitloc.c
@@ -638,7 +638,7 @@ _bt_afternewitemoff(FindSplitData *state, OffsetNumber maxoff,
*/
if (state->newitemsz != state->minfirstrightsz)
return false;
- if (state->newitemsz * (maxoff - 1) != state->olddataitemstotal)
+ if ((maxoff <= 1) || (state->newitemsz * (maxoff - 1) != state->olddataitemstotal))
return false;
/*
