Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wPLSN-000fQd-1D for pgsql-hackers@arkaria.postgresql.org; Tue, 19 May 2026 14:30:03 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wPLSL-004WZ7-11 for pgsql-hackers@arkaria.postgresql.org; Tue, 19 May 2026 14:30:02 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wPLSK-004WYv-2p for pgsql-hackers@lists.postgresql.org; Tue, 19 May 2026 14:30:01 +0000 Received: from forward103b.mail.yandex.net ([178.154.239.150]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wPLSJ-00000000Nx5-0SAs for pgsql-hackers@lists.postgresql.org; Tue, 19 May 2026 14:30:01 +0000 Received: from mail-nwsmtp-smtp-production-main-91.iva.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-91.iva.yp-c.yandex.net [IPv6:2a02:6b8:c0c:99a0:0:640:85e0:0]) by forward103b.mail.yandex.net (Yandex) with ESMTPS id 908F3C0096 for ; Tue, 19 May 2026 17:29:57 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-91.iva.yp-c.yandex.net (smtp) with ESMTPSA id uTSEmu27VSw0-XtmHz6cB; Tue, 19 May 2026 17:29:57 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tantorlabs.com; s=mail; t=1779200997; bh=YrFDHgA32jDRxyW3diw6cAW1ItdNZiyTr3R53WsJJ0s=; h=Subject:To:Message-ID:Date:From; b=qoaEE1GqguBijpLPve2Fwk0JAwu1zPaYviZjWPzGaFgy0J2Kj4D0Zw+a5QMqDSjaX 48CcXzZvYzROcBfGqFcpiNtY/2C4GkrxdUK1737cAzipL7qFLn6i4qFTzIedrNiKTM 8a7CI37tzs+Ge78g6AhJygEoOLaHVkOhk8GsitVg= Authentication-Results: mail-nwsmtp-smtp-production-main-91.iva.yp-c.yandex.net; dkim=pass header.i=@tantorlabs.com Content-Type: multipart/mixed; boundary="------------XJRauab4n9iTHpBBcsjSdqGO" Message-ID: <4b8d299d-2505-4c30-bf80-0f697410db35@tantorlabs.com> Date: Tue, 19 May 2026 17:29:56 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: PostgreSQL Hackers From: Ilia Evdokimov Subject: Fix incorrect size check in statext_dependencies_deserialize List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk This is a multi-part message in MIME format. --------------XJRauab4n9iTHpBBcsjSdqGO Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi hackers, I noticed an issue in `statext_dependencies_deserialize()`. The sanity check uses `SizeOfItem` to validate the bytea size, but `SizeOfItem()` expects the number of attributes in a single dependency, not the number of dependencies. This means the check is computing the size of one dependency with ndeps attributes, which is incorrect. It should use `MinSizeOfItems` instead, which correctly computes the minimum expected size as the header plus `ndeps` minimally-sized dependency items. Notably, the similar function for ndistinct extended statistics `statext_ndistinct_deserialize()` already uses `MinSizeOfItems` correctly, which suggests this is a typo rather than an intentional choice. -- Best regards, Ilia Evdokimov, Tantor Labs LLC, https://tantorlabs.com/ --------------XJRauab4n9iTHpBBcsjSdqGO Content-Type: text/x-patch; charset=UTF-8; name="v1-0001-Fix-size-check-in-statext_dependencies_deserializ.patch" Content-Disposition: attachment; filename*0="v1-0001-Fix-size-check-in-statext_dependencies_deserializ.pa"; filename*1="tch" Content-Transfer-Encoding: base64 RnJvbSA1ZTc2MGI5ZDYzYzEyZWY1MDRhM2ZkM2JlNzVkZDI1MTEyMTExNjViIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBFdmRva2ltb3YgSWxpYSA8aWx5YS5ldmRva2ltb3ZA dGFudG9ybGFicy5jb20+CkRhdGU6IFR1ZSwgMTkgTWF5IDIwMjYgMTc6MTc6MDEgKzAzMDAK U3ViamVjdDogW1BBVENIIHYxXSBGaXggc2l6ZSBjaGVjayBpbiBzdGF0ZXh0X2RlcGVuZGVu Y2llc19kZXNlcmlhbGl6ZSgpCgpUaGUgc2FuaXR5IGNoZWNrIHdhcyB1c2luZyBTaXplT2ZJ dGVtKGRlcGVuZGVuY2llcy0+bmRlcHMpIHRvIHZhbGlkYXRlCnRoZSBieXRlYSBzaXplLCBi dXQgU2l6ZU9mSXRlbSgpIGV4cGVjdHMgdGhlIG51bWJlciBvZiBhdHRyaWJ1dGVzIGluIGEK c2luZ2xlIGRlcGVuZGVuY3ksIG5vdCB0aGUgbnVtYmVyIG9mIGRlcGVuZGVuY2llcy4gUmVw bGFjZSBpdCB3aXRoCk1pblNpemVPZkl0ZW1zKG5kZXBzKSwgd2hpY2ggY29ycmVjdGx5IGNv bXB1dGVzIHRoZSBtaW5pbXVtIGV4cGVjdGVkCnNpemUgYXMgdGhlIGhlYWRlciBwbHVzIG5k ZXBzIG1pbmltYWxseS1zaXplZCBkZXBlbmRlbmN5IGl0ZW1zLgotLS0KIHNyYy9iYWNrZW5k L3N0YXRpc3RpY3MvZGVwZW5kZW5jaWVzLmMgfCAyICstCiAxIGZpbGUgY2hhbmdlZCwgMSBp bnNlcnRpb24oKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQgYS9zcmMvYmFja2VuZC9z dGF0aXN0aWNzL2RlcGVuZGVuY2llcy5jIGIvc3JjL2JhY2tlbmQvc3RhdGlzdGljcy9kZXBl bmRlbmNpZXMuYwppbmRleCBlM2EyZjU4MTdlMC4uOTVkY2MyMTg5NzggMTAwNjQ0Ci0tLSBh L3NyYy9iYWNrZW5kL3N0YXRpc3RpY3MvZGVwZW5kZW5jaWVzLmMKKysrIGIvc3JjL2JhY2tl bmQvc3RhdGlzdGljcy9kZXBlbmRlbmNpZXMuYwpAQCAtNTI5LDcgKzUyOSw3IEBAIHN0YXRl eHRfZGVwZW5kZW5jaWVzX2Rlc2VyaWFsaXplKGJ5dGVhICpkYXRhKQogCQllbG9nKEVSUk9S LCAiaW52YWxpZCB6ZXJvLWxlbmd0aCBpdGVtIGFycmF5IGluIE1WRGVwZW5kZW5jaWVzIik7 CiAKIAkvKiB3aGF0IG1pbmltdW0gYnl0ZWEgc2l6ZSBkbyB3ZSBleHBlY3QgZm9yIHRob3Nl IHBhcmFtZXRlcnMgKi8KLQltaW5fZXhwZWN0ZWRfc2l6ZSA9IFNpemVPZkl0ZW0oZGVwZW5k ZW5jaWVzLT5uZGVwcyk7CisJbWluX2V4cGVjdGVkX3NpemUgPSBNaW5TaXplT2ZJdGVtcyhk ZXBlbmRlbmNpZXMtPm5kZXBzKTsKIAogCWlmIChWQVJTSVpFX0FOWV9FWEhEUihkYXRhKSA8 IG1pbl9leHBlY3RlZF9zaXplKQogCQllbG9nKEVSUk9SLCAiaW52YWxpZCBkZXBlbmRlbmNp ZXMgc2l6ZSAlenUgKGV4cGVjdGVkIGF0IGxlYXN0ICV6dSkiLAotLSAKMi4zNC4xCgo= --------------XJRauab4n9iTHpBBcsjSdqGO--