Fix out-of-bounds writes to scanTupleSlot

ss_ScanTupleSlot is not an array, it's a single slot. The slot is allocated from a bigger array, however, so this trampled over some other slot that was allocated right after the scan slot. This has apparently been harmless, as no-one's noticed, but it's surely wrong. I bumped into this in the PostgreSQL 8.3 merge branch, where I had changed the way the slots are allocated so that they're not stored in one big array anymore. This bug led to segfaults in that case.

Fix out-of-bounds writes to scanTupleSlot
ss_ScanTupleSlot is not an array, it's a single slot. The slot is allocated from a bigger array, however, so this trampled over some other slot that was allocated right after the scan slot. This has apparently been harmless, as no-one's noticed, but it's surely wrong. I bumped into this in the PostgreSQL 8.3 merge branch, where I had changed the way the slots are allocated so that they're not stored in one big array anymore. This bug led to segfaults in that case.
a33699bc · Heikki Linnakangas · 455f0e19 · a33699bc · a33699bc · a33699bc
3 changed file
--- a/src/backend/executor/execDynamicScan.c
+++ b/src/backend/executor/execDynamicScan.c
@@ -211,6 +211,7 @@ DynamicScan_UpdateScanStateForNewPart(ScanState *scanState, Relation newRelation
 	scanState->ss_currentRelation = newRelation;
 	ExecAssignScanType(scanState, RelationGetDescr(newRelation));
 	Oid newOid = RelationGetRelid(newRelation);
+
 	/*
 	 * Inside ExecInitScanTupleSlot() we set the tuple table slot's oid
 	 * to range table entry's relid, which for partitioned table always set
@@ -220,11 +221,7 @@ DynamicScan_UpdateScanStateForNewPart(ScanState *scanState, Relation newRelation
 	 * to return correct partition oid, we need to update
 	 * our tuple table slot's oid to reflect the partition oid.
 	 */
-	for (int i = 0; i < DYNAMIC_SCAN_NSLOTS; i++)
-	{
-		scanState->ss_ScanTupleSlot[i].tts_tableOid = newOid;
-	}
-
+	scanState->ss_ScanTupleSlot->tts_tableOid = newOid;
 	scanState->tableType = getTableType(scanState->ss_currentRelation);
 }


--- a/src/backend/executor/nodeDynamicIndexscan.c
+++ b/src/backend/executor/nodeDynamicIndexscan.c
@@ -182,10 +182,7 @@ initNextIndexToScan(DynamicIndexScanState *node)
 		Relation currentRelation = OpenScanRelationByOid(*pid);
 		indexState->ss.ss_currentRelation = currentRelation;

-		for (int i=0; i < DYNAMICINDEXSCAN_NSLOTS; i++)
-		{
-			indexState->ss.ss_ScanTupleSlot[i].tts_tableOid = *pid;
-		}
+		indexState->ss.ss_ScanTupleSlot->tts_tableOid = *pid;

 		ExecAssignScanType(&indexState->ss, RelationGetDescr(currentRelation));


--- a/src/backend/executor/nodeDynamicTableScan.c
+++ b/src/backend/executor/nodeDynamicTableScan.c
@@ -106,10 +106,7 @@ initNextTableToScan(DynamicTableScanState *node)
 		 * to return correct partition oid, we need to update
 		 * our tuple table slot's oid to reflect the partition oid.
 		 */
-		for (int i = 0; i < DYNAMIC_TABLE_SCAN_NSLOTS; i++)
-		{
-			scanState->ss_ScanTupleSlot[i].tts_tableOid = *pid;
-		}
+		scanState->ss_ScanTupleSlot->tts_tableOid = *pid;

 		scanState->ss_currentRelation = OpenScanRelationByOid(*pid);
 		Relation lastScannedRel = OpenScanRelationByOid(node->lastRelOid);