BUG #19492: intarray: fix variable stats leak in _int_matchsel

public inbox for [email protected]  
help / color / mirror / Atom feed

From: PG Bug reporting form <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: BUG #19492: intarray: fix variable stats leak in _int_matchsel
Date: Sun, 24 May 2026 05:13:05 +0000
Message-ID: <[email protected]> (raw)

The following bug has been logged on the website:

Bug reference:      19492
Logged by:          Man Zeng
Email address:      [email protected]
PostgreSQL version: 18.4
Operating system:   24.04.1-Ubuntu
Description:        

Hi all,

While investigating the intarray contrib module, I noticed a variable
stats leak in _int_matchsel().

When vardata.vartype != INT4ARRAYOID, the function returns
DEFAULT_EQ_SEL early without releasing the variable stats previously
acquired via examine_variable(). This causes a memory leak in the
current memory context.

The fix is straightforward: add ReleaseVariableStats(vardata) before
the early return.

Steps to reproduce:
```sql
postgres@zxm-VMware-Virtual-Platform:~/code/postgres/contrib$ psql
psql (19devel)
Type "help" for help.

postgres=# CREATE EXTENSION intarray;
CREATE EXTENSION
postgres=# CREATE OR REPLACE FUNCTION my_text_eq(a text, b text) RETURNS
boolean AS $$
BEGIN
    RETURN a = b;
END;
$$ LANGUAGE plpgsql;
CREATE FUNCTION
postgres=# CREATE OPERATOR %% (
    LEFTARG = text,
    RIGHTARG = text,
    FUNCTION = my_text_eq,
    RESTRICT = _int_matchsel
);
CREATE OPERATOR
postgres=# CREATE TEMP TABLE test_vuln (t text);
CREATE TABLE
postgres=# INSERT INTO test_vuln SELECT md5(i::text) FROM generate_series(1,
1000) i;
ANALYZE test_vuln;
INSERT 0 1000
ANALYZE
postgres=# EXPLAIN (COSTS ON) SELECT * FROM test_vuln WHERE t %%
'test'::text;
2026-05-20 23:47:42.257 CST [11370] WARNING:  resource was not closed: cache
pg_statistic (73), tuple 9/33 has count 1
WARNING:  resource was not closed: cache pg_statistic (73), tuple 9/33 has
count 1
                         QUERY PLAN
------------------------------------------------------------
 Seq Scan on test_vuln  (cost=0.00..269.00 rows=5 width=33)
   Filter: (t %% 'test'::text)
(2 rows)

postgres=#
```

SQL:
```sql
CREATE EXTENSION intarray;
CREATE OR REPLACE FUNCTION my_text_eq(a text, b text) RETURNS boolean AS $$
BEGIN
    RETURN a = b;
END;
$$ LANGUAGE plpgsql;
CREATE OPERATOR %% (
    LEFTARG = text,
    RIGHTARG = text,
    FUNCTION = my_text_eq,
    RESTRICT = _int_matchsel
);
CREATE TEMP TABLE test_vuln (t text);
INSERT INTO test_vuln SELECT md5(i::text) FROM generate_series(1, 1000) i;
ANALYZE test_vuln;
EXPLAIN (COSTS ON) SELECT * FROM test_vuln WHERE t %% 'test'::text;
```

Regards,
Man Zeng

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: BUG #19492: intarray: fix variable stats leak in _int_matchsel
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox