Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wDkLQ-003J2K-0s
	for pgsql-bugs@arkaria.postgresql.org;
	Fri, 17 Apr 2026 14:38:56 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wDkLP-00AJY0-1Q
	for pgsql-bugs@arkaria.postgresql.org;
	Fri, 17 Apr 2026 14:38:55 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <noreply@postgresql.org>)
	id 1wDhFz-009anD-1r
	for pgsql-bugs@lists.postgresql.org;
	Fri, 17 Apr 2026 11:21:07 +0000
Received: from mahout.postgresql.org ([2001:4800:3e1:1::227])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <noreply@postgresql.org>)
	id 1wDhFw-00000001SoU-13pm
	for pgsql-bugs@lists.postgresql.org;
	Fri, 17 Apr 2026 11:21:06 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:Cc:From:To:Subject:
	Content-Transfer-Encoding:MIME-Version:Content-Type:Sender:Content-ID:
	Content-Description:In-Reply-To:References;
	bh=RGpT1o4FTvxe8wVFspT2usEbn3PX9QvEtKzysFJ0zKY=; b=WvPB102UBJr8u3L1ELmKOSY3ha
	4P5qZwR4KDXJWOruGtVFxnQo826Mjc86cRK/l02+m1AsVA1M25luEqeBSHUpRhCLaTxftwt55571P
	S9wECxGNGyG+zra6hZsMNabhWDEntw3PbvF50RAq5Kj30i87nTw3agFtShzL4Ij1tmCV0A7acKs8t
	5nbnyDNz8vudZzdmI7T690cHMgjk34By7i3ZRjSrThSGk7HDJMhWGz5v9vl02bFMuse5eTMLaH45k
	Ik1E025pq8pH9dF3vmk4BpF6gDsBldSXU+Lt4h2sCs+ozEBqo30L0mm5WRig2SdLWgv04EXg8RRtR
	T/LWv/nA==;
Received: from wrigleys.postgresql.org ([2a02:16a8:dc51::60])
	by mahout.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <noreply@postgresql.org>)
	id 1wDhFv-004HB5-2O
	for pgsql-bugs@lists.postgresql.org;
	Fri, 17 Apr 2026 11:21:04 +0000
Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org)
	by wrigleys.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <noreply@postgresql.org>)
	id 1wDhFu-009Fwk-1g
	for pgsql-bugs@lists.postgresql.org;
	Fri, 17 Apr 2026 11:21:03 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Subject: BUG #19458: OOM killer in jsonb_path_exists_opr (@?) with malformed JSONPath containing non-existent variables
To: pgsql-bugs@lists.postgresql.org
From: PG Bug reporting form <noreply@postgresql.org>
Cc: pl0h0yp1@gmail.com
Reply-To: pl0h0yp1@gmail.com, pgsql-bugs@lists.postgresql.org
Date: Fri, 17 Apr 2026 11:20:34 +0000
Message-ID: <19458-a69c98bc498333ba@postgresql.org>
X-Auto-Response-Suppress: All
Auto-Submitted: auto-generated
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: <https://www.postgresql.org/message-id/19458-a69c98bc498333ba%40postgresql.org>
Precedence: bulk

The following bug has been logged on the website:

Bug reference:      19458
Logged by:          Andrey Rachitskiy
Email address:      pl0h0yp1@gmail.com
PostgreSQL version: 14.22
Operating system:   Debian GNU/Linux 12 (bookworm)
Description:       =20

Description:
During fuzzing of the jsonb_path_exists_opr (operator jsonb @? jsonpath, a
two-argument version of jsonb_path_exists()), a pathological query was
discovered that causes uncontrolled memory consumption, leading to OOM
Killer on PostgreSQL versions REL_14/15/16_STABLE.
On versions 17 and 18, the same query returns a proper error instead of
crashing the server.
This bug was found using AFL++ as a fuzzer and LibBlobStamper as a tool for
creating syntactically correct arguments.

Reproduction:
Execute the following query:
```sql
select '[3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
13558284848669739, 3472328296227668016, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328295419228208, 3472328296227680304,
3528904766546522246, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296328343600,
3472328296227680304, 3472328296227680299, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3470920921344127024, 3906362710315511856,
3472328296228075062, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472334893297446960, 3472328090069248816,
13511005849006128, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
3472328296227680304, 3472328296227680304, 3472328296227680304,
13563782407139376, 4337019423877509168]'::jsonb @? '(-$?(0 <
($"=E3=80=B0=E3=80=AD=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=
=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=
=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0" - $?=
(0 < $"=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=
=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0" - $?(0 + $ <
$"=E3=98=B0=E3=80=B0=E3=98=B6=E3=80=B0")."=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=
=B0")."=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=
=80=B0") - 0?(+$ < $"=E3=80=B0
=E3=80=B0=E3=80=B0=E3=80=B0")."=E3=81=BB=E3=80=B0=E3=80=B0=E3=98=B0")."=E3=
=80=B0=E3=80=B0=E3=80=B0=E3=80=B6=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=
=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=
=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=
=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=
=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=
=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=
=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=
=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0")'::json=
path;
```

Expected result:
The query should return an error, as happens on versions 17 and 18:
ERROR:  could not find jsonpath variable "=E3=80=B0=E3=80=AD=E3=80=B0=E3=80=
=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=
=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=80=B0=E3=
=80=B0=E3=80=B0=E3=80=B0=E3=80=B0"

Actual result (14, 15, 16):
  - Memory consumption grows until the kernel kills the postgres process via
OOM Killer
  - Client loses connection:
       server closed the connection unexpectedly
       This probably means the server terminated abnormally
       before or while processing the request.

Kernel log:
516294.487767] Out of memory: Killed process 1135405 (postgres)
total-vm:13521932kB, anon-rss:9170792kB, file-rss:92kB, shmem-rss:1848kB,
UID:1002 pgtables:26176kB oom_score_adj:0

--
Regards,
Andrey Rachitskiy
Postgres Professional