Fix nbtree lookahead overflow bug.

Add bounds checking to nbtree's lookahead/skip-within-a-page mechanism.
Otherwise it's possible for cases with lots of before-array-keys tuples
to overflow an int16 variable, causing the mechanism to generate an out
of bounds page offset number.

Oversight in commit 5bf748b8, which enhanced nbtree ScalarArrayOp
execution.

Reported-By: Alexander Lakhin <[email protected]>
Discussion: https://postgr.es/m/6c68ac42-bbb5-8b24-103e-af0e279c536f@gmail.com
Back: 17-, where nbtree SAOP execution was enhanced.

diff --git a/src/backend/access/nbtree/nbtutils.c b/src/backend/access/nbtree/nbtutils.c
index d6de2072d4057b70e494af2b159536f3b09b2bef..c22ccec789d2a6aa1665bde375c72aae387e9ba3 100644 (file)
--- a/src/backend/access/nbtree/nbtutils.c
+++ b/src/backend/access/nbtree/nbtutils.c
@@ -4091,7 +4091,7 @@ _bt_checkkeys_look_ahead(IndexScanDesc scan, BTReadPageState *pstate,
     */
    if (!pstate->targetdistance)
        pstate->targetdistance = LOOK_AHEAD_DEFAULT_DISTANCE;
-   else
+   else if (pstate->targetdistance < MaxIndexTuplesPerPage / 2)
        pstate->targetdistance *= 2;
 
    /* Don't read past the end (or before the start) of the page, though */