Fix MCV input array checks in statistics restore functions The SQL functions for the restore of attribute and expression statistics accept "most_common_vals" and "most_common_freqs" as independent arrays. The planner assumes these have the same number of elements, but it was possible to insert in the catalogs data that would cause an over-read when the catalog data is loaded in the planner.
There were two holes in the stats restore logic: - Both arrays should match in size. - The input array must be one-dimensional, and it should match with what is delivered by pg_dump when scanning the pg_stats catalogs. The multivariate extended statistics MCV path (import_mcv) already validated these inputs via check_mcvlist_array(), and is not affected. These problems exist in v18 and newer versions for the restore of attribute statistics. These problems affect only HEAD for the restore of the expression statistics. Reported-by: Jeroen Gui <[email protected]> Author: Michael Paquier <[email protected]> Reviewed-by: Amit Langote <[email protected]> Reviewed-by: John Naylor <[email protected]> Security: CVE-2026-6575 Backpatch-through: 18 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/6d6348f0329dd50ba9f954df28c2ffa88a15df07 Author: Michael Paquier <[email protected]> Modified Files -------------- src/backend/statistics/attribute_stats.c | 25 +++++- src/backend/statistics/extended_stats_funcs.c | 26 ++++++ src/backend/statistics/stat_utils.c | 9 ++ src/test/regress/expected/stats_import.out | 117 +++++++++++++++++++++++++- src/test/regress/sql/stats_import.sql | 76 +++++++++++++++++ 5 files changed, 248 insertions(+), 5 deletions(-)
