Fix reset of incorrect hash iterator in GROUPING SETS queries

This fixes an unlikely issue when fetching GROUPING SET results from
their internally stored hash tables.  It was possible in rare cases that
the hash iterator would be set up incorrectly which could result in a
crash.

This was introduced in 4d143509c, so backpatch to v18.

Many thanks to Yuri Zamyatin for reporting and helping to debug this
issue.

Bug: #19078
Reported-by: Yuri Zamyatin <yuri@yrz.am>
Author: David Rowley <dgrowleyml@gmail.com>
Reviewed-by: Jeff Davis <pgsql@j-davis.com>
Discussion: https://postgr.es/m/19078-dfd62f840a2c0766@postgresql.org
Backpatch-through: 18

diff --git a/src/backend/executor/nodeAgg.c b/src/backend/executor/nodeAgg.c
index a4f3d30f307ccb39704640930ce212735e79f962..64643c3943a89154009fa91ebb81d8dcc1ea6eb7 100644 (file)
--- a/src/backend/executor/nodeAgg.c
+++ b/src/backend/executor/nodeAgg.c
@@ -2911,7 +2911,7 @@ agg_retrieve_hash_table_in_memory(AggState *aggstate)
 
                perhash = &aggstate->perhash[aggstate->current_set];
 
-               ResetTupleHashIterator(hashtable, &perhash->hashiter);
+               ResetTupleHashIterator(perhash->hashtable, &perhash->hashiter);
 
                continue;
            }

diff --git a/src/include/lib/simplehash.h b/src/include/lib/simplehash.h
index 327274c2340bf90b02cdcfda268bd117d9046a8f..9622131ede6811d9c0b8cb723a6587524735f79c 100644 (file)
--- a/src/include/lib/simplehash.h
+++ b/src/include/lib/simplehash.h
@@ -1044,6 +1044,10 @@ SH_START_ITERATE_AT(SH_TYPE * tb, SH_ITERATOR * iter, uint32 at)
 SH_SCOPE   SH_ELEMENT_TYPE *
 SH_ITERATE(SH_TYPE * tb, SH_ITERATOR * iter)
 {
+   /* validate sanity of the given iterator */
+   Assert(iter->cur < tb->size);
+   Assert(iter->end < tb->size);
+
    while (!iter->done)
    {
        SH_ELEMENT_TYPE *elem;