Add Asserts to validate prevbit values in bms_prev_member

david-rowley · david-rowley · commit b4632883d44e · 2025-08-15T16:33:07.000+12:00
bms_prev_member() could attempt to access memory outside of the words[] array in cases where the prevbit was a number < -1 or > a->nwords * BITS_PER_BITMAPWORD + 1. Here we add the Asserts to help draw attention to bogus callers so we're more likely to catch them during development. In passing, fix wording of bms_prev_member's header comment which talks about how we expect the callers to ensure only valid prevbit values are used. Author: Greg Burd <greg@burd.me> Reviewed-by: David Rowley <dgrowleyml@gmail.com> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Discussion: https://postgr.es/m/2000A717-1FFE-4031-827B-9330FB2E9065%40getmailspring.com
diff --git a/src/backend/nodes/bitmapset.c b/src/backend/nodes/bitmapset.c
@@ -1343,7 +1343,7 @@ bms_next_member(const Bitmapset *a, int prevbit)
  *
  * Returns largest member less than "prevbit", or -2 if there is none.
  * "prevbit" must NOT be more than one above the highest possible bit that can
- * be set at the Bitmapset at its current size.
+ * be set in the Bitmapset at its current size.
  *
  * To ease finding the highest set bit for the initial loop, the special
  * prevbit value of -1 can be passed to have the function find the highest
@@ -1379,6 +1379,10 @@ bms_prev_member(const Bitmapset *a, int prevbit)
 	if (a == NULL || prevbit == 0)
 		return -2;
 
+	/* Validate callers didn't give us something out of range */
+	Assert(prevbit <= a->nwords * BITS_PER_BITMAPWORD);
+	Assert(prevbit >= -1);
+
 	/* transform -1 to the highest possible bit we could have set */
 	if (prevbit == -1)
 		prevbit = a->nwords * BITS_PER_BITMAPWORD - 1;
