git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 11 May 2026 12:13:46 +0000 (05:13 -0700)
committer	Noah Misch <noah@leadboat.com>
	Mon, 11 May 2026 12:13:46 +0000 (05:13 -0700)
commit	6d6348f0329dd50ba9f954df28c2ffa88a15df07
tree	c0d666fee52fda2fcbd1f0262df7158168b65d1b	tree \| snapshot
parent	ec8ded4b327f9d121811f43bf0177d0f289c3949	commit \| diff

Fix MCV input array checks in statistics restore functions

The SQL functions for the restore of attribute and expression statistics
accept "most_common_vals" and "most_common_freqs" as independent arrays.
The planner assumes these have the same number of elements, but it was
possible to insert in the catalogs data that would cause an over-read
when the catalog data is loaded in the planner.

There were two holes in the stats restore logic:
- Both arrays should match in size.
- The input array must be one-dimensional, and it should match with what
is delivered by pg_dump when scanning the pg_stats catalogs.

The multivariate extended statistics MCV path (import_mcv) already
validated these inputs via check_mcvlist_array(), and is not affected.
These problems exist in v18 and newer versions for the restore of
attribute statistics. These problems affect only HEAD for the restore
of the expression statistics.

Reported-by: Jeroen Gui <jeroen.gui1@proton.me>
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Amit Langote <amitlangote09@gmail.com>
Reviewed-by: John Naylor <johncnaylorls@gmail.com>
Security: CVE-2026-6575
Backpatch-through: 18

src/backend/statistics/attribute_stats.c		diff \| blob \| blame \| history
src/backend/statistics/extended_stats_funcs.c		diff \| blob \| blame \| history
src/backend/statistics/stat_utils.c		diff \| blob \| blame \| history
src/test/regress/expected/stats_import.out		diff \| blob \| blame \| history
src/test/regress/sql/stats_import.sql		diff \| blob \| blame \| history