| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | zengman(at)halodbtech(dot)com |
| Subject: | BUG #19492: intarray: fix variable stats leak in _int_matchsel |
| Date: | 2026-05-24 05:13:05 |
| Message-ID: | 19492-ddcd0e22399ef85a@postgresql.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 19492
Logged by: Man Zeng
Email address: zengman(at)halodbtech(dot)com
PostgreSQL version: 18.4
Operating system: 24.04.1-Ubuntu
Description:
Hi all,
While investigating the intarray contrib module, I noticed a variable
stats leak in _int_matchsel().
When vardata.vartype != INT4ARRAYOID, the function returns
DEFAULT_EQ_SEL early without releasing the variable stats previously
acquired via examine_variable(). This causes a memory leak in the
current memory context.
The fix is straightforward: add ReleaseVariableStats(vardata) before
the early return.
Steps to reproduce:
```sql
postgres(at)zxm-VMware-Virtual-Platform:~/code/postgres/contrib$ psql
psql (19devel)
Type "help" for help.
postgres=# CREATE EXTENSION intarray;
CREATE EXTENSION
postgres=# CREATE OR REPLACE FUNCTION my_text_eq(a text, b text) RETURNS
boolean AS $$
BEGIN
RETURN a = b;
END;
$$ LANGUAGE plpgsql;
CREATE FUNCTION
postgres=# CREATE OPERATOR %% (
LEFTARG = text,
RIGHTARG = text,
FUNCTION = my_text_eq,
RESTRICT = _int_matchsel
);
CREATE OPERATOR
postgres=# CREATE TEMP TABLE test_vuln (t text);
CREATE TABLE
postgres=# INSERT INTO test_vuln SELECT md5(i::text) FROM generate_series(1,
1000) i;
ANALYZE test_vuln;
INSERT 0 1000
ANALYZE
postgres=# EXPLAIN (COSTS ON) SELECT * FROM test_vuln WHERE t %%
'test'::text;
2026-05-20 23:47:42.257 CST [11370] WARNING: resource was not closed: cache
pg_statistic (73), tuple 9/33 has count 1
WARNING: resource was not closed: cache pg_statistic (73), tuple 9/33 has
count 1
QUERY PLAN
------------------------------------------------------------
Seq Scan on test_vuln (cost=0.00..269.00 rows=5 width=33)
Filter: (t %% 'test'::text)
(2 rows)
postgres=#
```
SQL:
```sql
CREATE EXTENSION intarray;
CREATE OR REPLACE FUNCTION my_text_eq(a text, b text) RETURNS boolean AS $$
BEGIN
RETURN a = b;
END;
$$ LANGUAGE plpgsql;
CREATE OPERATOR %% (
LEFTARG = text,
RIGHTARG = text,
FUNCTION = my_text_eq,
RESTRICT = _int_matchsel
);
CREATE TEMP TABLE test_vuln (t text);
INSERT INTO test_vuln SELECT md5(i::text) FROM generate_series(1, 1000) i;
ANALYZE test_vuln;
EXPLAIN (COSTS ON) SELECT * FROM test_vuln WHERE t %% 'test'::text;
```
Regards,
Man Zeng
| From | Date | Subject | |
|---|---|---|---|
| Next Message | zengman | 2026-05-24 05:15:43 | Re:BUG #19492: intarray: fix variable stats leak in _int_matchsel |
| Previous Message | Matheus Alcantara | 2026-05-22 20:56:05 | Re: BUG #19484: Segmentation fault triggered by FDW |