Participants
PG Bug reporting form
PG Bug reporting form
Attachments
Show all attachments
Thread Outline
#1PG Bug reporting formPG Bug reporting form
1 day ago

BUG #19492: intarray: fix variable stats leak in _int_matchsel

Started by PG Bug reporting form1 day ago1 messagesbugs
Jump to latest
#1PG Bug reporting form
PG Bug reporting form
noreply@postgresql.org

The following bug has been logged on the website:

Bug reference: 19492
Logged by: Man Zeng
Email address: zengman@halodbtech.com
PostgreSQL version: 18.4
Operating system: 24.04.1-Ubuntu
Description:

Hi all,

While investigating the intarray contrib module, I noticed a variable
stats leak in _int_matchsel().

When vardata.vartype != INT4ARRAYOID, the function returns
DEFAULT_EQ_SEL early without releasing the variable stats previously
acquired via examine_variable(). This causes a memory leak in the
current memory context.

The fix is straightforward: add ReleaseVariableStats(vardata) before
the early return.

Steps to reproduce:
```sql
postgres@zxm-VMware-Virtual-Platform:~/code/postgres/contrib$ psql
psql (19devel)
Type "help" for help.

postgres=# CREATE EXTENSION intarray;
CREATE EXTENSION
postgres=# CREATE OR REPLACE FUNCTION my_text_eq(a text, b text) RETURNS
boolean AS $$
BEGIN
RETURN a = b;
END;
$$ LANGUAGE plpgsql;
CREATE FUNCTION
postgres=# CREATE OPERATOR %% (
LEFTARG = text,
RIGHTARG = text,
FUNCTION = my_text_eq,
RESTRICT = _int_matchsel
);
CREATE OPERATOR
postgres=# CREATE TEMP TABLE test_vuln (t text);
CREATE TABLE
postgres=# INSERT INTO test_vuln SELECT md5(i::text) FROM generate_series(1,
1000) i;
ANALYZE test_vuln;
INSERT 0 1000
ANALYZE
postgres=# EXPLAIN (COSTS ON) SELECT * FROM test_vuln WHERE t %%
'test'::text;
2026-05-20 23:47:42.257 CST [11370] WARNING: resource was not closed: cache
pg_statistic (73), tuple 9/33 has count 1
WARNING: resource was not closed: cache pg_statistic (73), tuple 9/33 has
count 1
QUERY PLAN
------------------------------------------------------------
Seq Scan on test_vuln (cost=0.00..269.00 rows=5 width=33)
Filter: (t %% 'test'::text)
(2 rows)

postgres=#
```

SQL:
```sql
CREATE EXTENSION intarray;
CREATE OR REPLACE FUNCTION my_text_eq(a text, b text) RETURNS boolean AS $$
BEGIN
RETURN a = b;
END;
$$ LANGUAGE plpgsql;
CREATE OPERATOR %% (
LEFTARG = text,
RIGHTARG = text,
FUNCTION = my_text_eq,
RESTRICT = _int_matchsel
);
CREATE TEMP TABLE test_vuln (t text);
INSERT INTO test_vuln SELECT md5(i::text) FROM generate_series(1, 1000) i;
ANALYZE test_vuln;
EXPLAIN (COSTS ON) SELECT * FROM test_vuln WHERE t %% 'test'::text;
```

Regards,
Man Zeng

← Back to Topics