Add runtime checks for bogus multixact offsets

It's not far-fetched that we'd try to read a multixid with an invalid
offset in case of bugs or corruption. Or if you call
pg_get_multixact_members() after a crash that left behind invalid but
unused multixids. Better to get a somewhat descriptive error message
if that happens.

Discussion: https://www.postgresql.org/message-id/3624730d-6dae-42bf-9458-76c4c965fb27@iki.fi

diff --git a/src/backend/access/transam/multixact.c b/src/backend/access/transam/multixact.c
index 3a95f9ca1f8313a3aa597f8cbabc36f96a0ee997..8ba2f4529dc19bb928dc8a1fcc1b5196818179dc 100644 (file)
--- a/src/backend/access/transam/multixact.c
+++ b/src/backend/access/transam/multixact.c
@@ -1153,6 +1153,7 @@ GetMultiXactIdMembers(MultiXactId multi, MultiXactMember **members,
    int         slotno;
    MultiXactOffset *offptr;
    MultiXactOffset offset;
+   MultiXactOffset nextMXOffset;
    int         length;
    MultiXactId oldestMXact;
    MultiXactId nextMXact;
@@ -1244,12 +1245,14 @@ GetMultiXactIdMembers(MultiXactId multi, MultiXactMember **members,
    offptr += entryno;
    offset = *offptr;
 
-   Assert(offset != 0);
+   if (offset == 0)
+       ereport(ERROR,
+               (errcode(ERRCODE_DATA_CORRUPTED),
+                errmsg("MultiXact %u has invalid offset", multi)));
 
    /* read next multi's offset */
    {
        MultiXactId tmpMXact;
-       MultiXactOffset nextMXOffset;
 
        /* handle wraparound if needed */
        tmpMXact = multi + 1;
@@ -1283,21 +1286,27 @@ GetMultiXactIdMembers(MultiXactId multi, MultiXactMember **members,
        offptr = (MultiXactOffset *) MultiXactOffsetCtl->shared->page_buffer[slotno];
        offptr += entryno;
        nextMXOffset = *offptr;
-
-       if (nextMXOffset == 0)
-           ereport(ERROR,
-                   (errcode(ERRCODE_DATA_CORRUPTED),
-                    errmsg("MultiXact %u has invalid next offset",
-                           multi)));
-
-       length = nextMXOffset - offset;
    }
 
    LWLockRelease(lock);
    lock = NULL;
 
-   /* A multixid with zero members should not happen */
-   Assert(length > 0);
+   /* Sanity check the next offset */
+   if (nextMXOffset == 0)
+       ereport(ERROR,
+               (errcode(ERRCODE_DATA_CORRUPTED),
+                errmsg("MultiXact %u has invalid next offset", multi)));
+   if (nextMXOffset < offset)
+       ereport(ERROR,
+               (errcode(ERRCODE_DATA_CORRUPTED),
+                errmsg("MultiXact %u has offset (%" PRIu64 ") greater than its next offset (%" PRIu64 ")",
+                       multi, offset, nextMXOffset)));
+   if (nextMXOffset - offset > INT32_MAX)
+       ereport(ERROR,
+               (errcode(ERRCODE_DATA_CORRUPTED),
+                errmsg("MultiXact %u has too many members (%" PRIu64 ")",
+                       multi, nextMXOffset - offset)));
+   length = nextMXOffset - offset;
 
    /* read the members */
    ptr = (MultiXactMember *) palloc(length * sizeof(MultiXactMember));