pgsql: Fix MCV input array checks in statistics restore functions

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Noah Misch <[email protected]>
To: [email protected]
Subject: pgsql: Fix MCV input array checks in statistics restore functions
Date: Mon, 11 May 2026 12:19:37 +0000
Message-ID: <[email protected]> (raw)

Fix MCV input array checks in statistics restore functions

The SQL functions for the restore of attribute and expression statistics
accept "most_common_vals" and "most_common_freqs" as independent arrays.
The planner assumes these have the same number of elements, but it was
possible to insert in the catalogs data that would cause an over-read
when the catalog data is loaded in the planner.

There were two holes in the stats restore logic:
- Both arrays should match in size.
- The input array must be one-dimensional, and it should match with what
is delivered by pg_dump when scanning the pg_stats catalogs.

The multivariate extended statistics MCV path (import_mcv) already
validated these inputs via check_mcvlist_array(), and is not affected.
These problems exist in v18 and newer versions for the restore of
attribute statistics.  These problems affect only HEAD for the restore
of the expression statistics.

Reported-by: Jeroen Gui <[email protected]>
Author: Michael Paquier <[email protected]>
Reviewed-by: Amit Langote <[email protected]>
Reviewed-by: John Naylor <[email protected]>
Security: CVE-2026-6575
Backpatch-through: 18

Branch
------
REL_18_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/661095c40c0bcbb9c49743f518417a2977b63aef
Author: Michael Paquier <[email protected]>

Modified Files
--------------
src/backend/statistics/attribute_stats.c   | 34 ++++++++++--
src/test/regress/expected/stats_import.out | 83 +++++++++++++++++++++++++++++-
src/test/regress/sql/stats_import.sql      | 54 +++++++++++++++++++
3 files changed, 166 insertions(+), 5 deletions(-)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: pgsql: Fix MCV input array checks in statistics restore functions
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox