From 83c0a580d3c08b36dc19f550e312d651c28e5a80 Mon Sep 17 00:00:00 2001
From: Jianghua Yang <yjhjstz@gmail.com>
Date: Fri, 15 May 2026 08:55:02 +0800
Subject: [PATCH] Fix use-after-free in GetExtStatisticsName

ReleaseSysCache(htup) was called before NameStr(staForm->stxname) was
read, returning a pointer into the already-released tuple buffer.
Copy the name with pstrdup() first, then release the cache entry.
---
 src/backend/optimizer/util/plancat.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/backend/optimizer/util/plancat.c b/src/backend/optimizer/util/plancat.c
index 13c2ea77699..f1d08a4d128 100644
--- a/src/backend/optimizer/util/plancat.c
+++ b/src/backend/optimizer/util/plancat.c
@@ -1621,8 +1621,10 @@ GetExtStatisticsName(Oid statOid)
 		elog(ERROR, "cache lookup failed for statistics object %u", statOid);
 
 	staForm = (Form_pg_statistic_ext) GETSTRUCT(htup);
+	/* Copy the name before releasing the cache entry. */
+	char *result = pstrdup(NameStr(staForm->stxname));
 	ReleaseSysCache(htup);
-	return NameStr(staForm->stxname);
+	return result;
 }
 
 /*