Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wRVLo-002PCH-1l for pgsql-bugs@arkaria.postgresql.org; Mon, 25 May 2026 13:28:12 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wRVLm-001KtQ-1x for pgsql-bugs@arkaria.postgresql.org; Mon, 25 May 2026 13:28:11 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wR1AB-00GYPI-1b for pgsql-bugs@lists.postgresql.org; Sun, 24 May 2026 05:14:12 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wR1A9-000000019CL-09Vk for pgsql-bugs@lists.postgresql.org; Sun, 24 May 2026 05:14:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:Cc:From:To:Subject: Content-Transfer-Encoding:MIME-Version:Content-Type:Sender:Content-ID: Content-Description:In-Reply-To:References; bh=IqwK7BscNOhkeeAjIadOlGhY1ej5tWpBo1lLWqKOVac=; b=kHyvc/u21VHy/5pmrTZOGAG4lP CP2n/k38PZtfX5oQDtyP47cfj7NAye4zppAntClaUI1NHN/N1ElQGeXc94pfv2GVF/RRJDOBGoXkD 36SwT+sckCJKtLJ5t7Bc9bjxWHyaOAusFJhy7bRNNC81GZjaNaysszjOw9YXLoKfvuOtF9tDMnqhr EbJ84MCC1iS8ZS8i0+StNWMUQ1v5I4mnYmlqbTWjzdaB5Hn2iQQyzmNv7sVLixHSrXCxWqVq1mGC0 gfwpoqs+0q1GOZxAeSiYEgzr8trwpRlt4WMcYL8F+MBJcO6n3M8pJyWo0b7fHmWeLYFymCiq66l2T 7y1pEQSA==; Received: from wrigleys.postgresql.org ([2a02:16a8:dc51::60]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wR1A5-001bNl-0t for pgsql-bugs@lists.postgresql.org; Sun, 24 May 2026 05:14:07 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wR1A3-006e1Q-2J for pgsql-bugs@lists.postgresql.org; Sun, 24 May 2026 05:14:03 +0000 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Subject: BUG #19492: intarray: fix variable stats leak in _int_matchsel To: pgsql-bugs@lists.postgresql.org From: PG Bug reporting form Cc: zengman@halodbtech.com Reply-To: zengman@halodbtech.com, pgsql-bugs@lists.postgresql.org Date: Sun, 24 May 2026 05:13:05 +0000 Message-ID: <19492-ddcd0e22399ef85a@postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk The following bug has been logged on the website: Bug reference: 19492 Logged by: Man Zeng Email address: zengman@halodbtech.com PostgreSQL version: 18.4 Operating system: 24.04.1-Ubuntu Description: =20 Hi all, While investigating the intarray contrib module, I noticed a variable stats leak in _int_matchsel(). When vardata.vartype !=3D INT4ARRAYOID, the function returns DEFAULT_EQ_SEL early without releasing the variable stats previously acquired via examine_variable(). This causes a memory leak in the current memory context. The fix is straightforward: add ReleaseVariableStats(vardata) before the early return. Steps to reproduce: ```sql postgres@zxm-VMware-Virtual-Platform:~/code/postgres/contrib$ psql psql (19devel) Type "help" for help. postgres=3D# CREATE EXTENSION intarray; CREATE EXTENSION postgres=3D# CREATE OR REPLACE FUNCTION my_text_eq(a text, b text) RETURNS boolean AS $$ BEGIN RETURN a =3D b; END; $$ LANGUAGE plpgsql; CREATE FUNCTION postgres=3D# CREATE OPERATOR %% ( LEFTARG =3D text, RIGHTARG =3D text, FUNCTION =3D my_text_eq, RESTRICT =3D _int_matchsel ); CREATE OPERATOR postgres=3D# CREATE TEMP TABLE test_vuln (t text); CREATE TABLE postgres=3D# INSERT INTO test_vuln SELECT md5(i::text) FROM generate_series= (1, 1000) i; ANALYZE test_vuln; INSERT 0 1000 ANALYZE postgres=3D# EXPLAIN (COSTS ON) SELECT * FROM test_vuln WHERE t %% 'test'::text; 2026-05-20 23:47:42.257 CST [11370] WARNING: resource was not closed: cache pg_statistic (73), tuple 9/33 has count 1 WARNING: resource was not closed: cache pg_statistic (73), tuple 9/33 has count 1 QUERY PLAN ------------------------------------------------------------ Seq Scan on test_vuln (cost=3D0.00..269.00 rows=3D5 width=3D33) Filter: (t %% 'test'::text) (2 rows) postgres=3D# ``` SQL: ```sql CREATE EXTENSION intarray; CREATE OR REPLACE FUNCTION my_text_eq(a text, b text) RETURNS boolean AS $$ BEGIN RETURN a =3D b; END; $$ LANGUAGE plpgsql; CREATE OPERATOR %% ( LEFTARG =3D text, RIGHTARG =3D text, FUNCTION =3D my_text_eq, RESTRICT =3D _int_matchsel ); CREATE TEMP TABLE test_vuln (t text); INSERT INTO test_vuln SELECT md5(i::text) FROM generate_series(1, 1000) i; ANALYZE test_vuln; EXPLAIN (COSTS ON) SELECT * FROM test_vuln WHERE t %% 'test'::text; ``` Regards, Man Zeng