Fix crash bug in RestoreSnapshot.

robertmhaas · robertmhaas · commit 8f4a369c28be · 2016-07-01T09:03:52.000-04:00
If serialized_snapshot-&gt;subxcnt &gt; 0 and serialized_snapshot-&gt;xcnt == 0,
the old coding would do the wrong thing and crash.  This can happen
on standby servers.

Report by Andreas Seltenreich.  Patch by Thomas Munro, reviewed by
Amit Kapila and tested by Andreas Seltenreich.
diff --git a/src/backend/utils/time/snapmgr.c b/src/backend/utils/time/snapmgr.c
@@ -1573,7 +1573,8 @@ RestoreSnapshot(char *start_address)
 	/* Copy SubXIDs, if present. */
 	if (serialized_snapshot->subxcnt > 0)
 	{
-		snapshot->subxip = snapshot->xip + serialized_snapshot->xcnt;
+		snapshot->subxip = ((TransactionId *) (snapshot + 1)) +
+			serialized_snapshot->xcnt;
 		memcpy(snapshot->subxip, serialized_xids + serialized_snapshot->xcnt,
 			   serialized_snapshot->subxcnt * sizeof(TransactionId));
 	}

Original file line number	Diff line number	Diff line change
`@@ -1573,7 +1573,8 @@ RestoreSnapshot(char *start_address)`
`1573`	`1573`	`/* Copy SubXIDs, if present. */`
`1574`	`1574`	`if (serialized_snapshot->subxcnt > 0)`
`1575`	`1575`	`{`
`1576`		`- snapshot->subxip = snapshot->xip + serialized_snapshot->xcnt;`
	`1576`	`+ snapshot->subxip = ((TransactionId *) (snapshot + 1)) +`
	`1577`	`+ serialized_snapshot->xcnt;`
`1577`	`1578`	`memcpy(snapshot->subxip, serialized_xids + serialized_snapshot->xcnt,`
`1578`	`1579`	`serialized_snapshot->subxcnt * sizeof(TransactionId));`
`1579`	`1580`	`}`