Fix crash bug in RestoreSnapshot.

If serialized_snapshot->subxcnt > 0 and serialized_snapshot->xcnt == 0,
the old coding would do the wrong thing and crash.  This can happen
on standby servers.

Report by Andreas Seltenreich.  Patch by Thomas Munro, reviewed by
Amit Kapila and tested by Andreas Seltenreich.

diff --git a/src/backend/utils/time/snapmgr.c b/src/backend/utils/time/snapmgr.c
index 6ef2df8a20a20429c5bb246ceedd86091bababd6..9cbe226b228709afcfe969d47551b00528e199ea 100644 (file)
--- a/src/backend/utils/time/snapmgr.c
+++ b/src/backend/utils/time/snapmgr.c
@@ -1573,7 +1573,8 @@ RestoreSnapshot(char *start_address)
    /* Copy SubXIDs, if present. */
    if (serialized_snapshot->subxcnt > 0)
    {
-       snapshot->subxip = snapshot->xip + serialized_snapshot->xcnt;
+       snapshot->subxip = ((TransactionId *) (snapshot + 1)) +
+           serialized_snapshot->xcnt;
        memcpy(snapshot->subxip, serialized_xids + serialized_snapshot->xcnt,
               serialized_snapshot->subxcnt * sizeof(TransactionId));
    }