Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-192

mysql_real_query() Invalid write of size 1 on certain query strings will crash

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • None
    • 2.3.6
    • None
    • Debian 8.2

    Description

      ==9532== Invalid write of size 1
      ==9532==    at 0x4E5228D: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
      ==9532==    by 0x4E5288D: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
      ==9532==    by 0x4E52B96: mysql_real_query (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
      ==9532==    by 0x4007B7: executeSQL (Test_MariaDB_main.c:22)
      ==9532==    by 0x4008C3: main (Test_MariaDB_main.c:55)
      ==9532==  Address 0x63d4228 is 0 bytes after a block of size 8,152 alloc'd
      ==9532==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
      ==9532==    by 0x4E5AEE8: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
      ==9532==    by 0x4E58E26: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
      ==9532==    by 0x4E52216: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
      ==9532==    by 0x4E5288D: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
      ==9532==    by 0x4E52B96: mysql_real_query (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
      ==9532==    by 0x4007B7: executeSQL (Test_MariaDB_main.c:22)
      ==9532==    by 0x4008C3: main (Test_MariaDB_main.c:55)
      

      Testprogram:

      #include <stdio.h>
      #include <string.h>
      #include <mysql.h>
      /*
      System Information:
      -------------------
      debian_version 8.2
      mysql  Ver 15.1 Distrib 10.1.14-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
       
      Build:
      ------
      gcc -g -Wall -I/usr/include/mariadb -lmysqlclient Test_MariaDB_main.c 
       
      Execute:
      --------
      valgrind ./a.out
      */
      #define SQL(s) executeSQL(s,sock)
       
      int executeSQL(const char *sql, MYSQL *sock)
      {
          int sql_rc = mysql_real_query(sock, sql, strlen(sql));
       
          if(sql_rc){
          	printf("could not evaluate expression \"%s\"\n***Error: %i %s\n",sql,sql_rc,mysql_error(sock));
          }else{
          	printf("executed:\n%s\n\n",sql);
          }
          return sql_rc;
      }
       
      int main(int argc, char **argv)
      {
          MYSQL *sock = NULL;
       
          sock = mysql_init(sock);
      	if (!mysql_real_connect(sock /*MYSQL **/,
      			    (char *)"localhost", /*host,*/
      			    (char *)"root",     /*user,*/
      			    (char *)"root", /*passwd,*/
      			    (char *)NULL,               /*db,*/
      			    0,                       /*port,*/
          			"/var/run/mysqld/mysqld.sock",					/*or NULL*/
      			    0                           /*clientflag*/)) {
              const char *message = mysql_error(sock);
              printf("no connection to localhost with -uroot -proot /var/run/mysqld/mysqld.sock\n%s\n",message);
              return 0;
          }
          SQL("set names utf8;");
          SQL("use intars_000141;");
          SQL("select t1.`abc`,t1.`adressfeld`,t1.`angebot_per_mail`,t1.`anrede`,t1.`anz_keywords`,t1.`ausstaende`,t1.`bank`,t1.`bemerkung`,t1.`bemerkung1`,t1.`bemerkung2`,t1.`besuchber1`,t1.`besuchber2`,t1.`besuchber3`,t1.`besuchdat1`,t1.`besuchdat2`,t1.`besuchdat3`,t1.`besuchdat4`,t1.`besuchdat5`,t1.`besuchdat6`,t1.`besuchplan`,t1.`besuchvtr1`,t1.`besuchvtr2`,t1.`besuchvtr3`,t1.`besuchvtr4`,t1.`besuchvtr5`,t1.`besuchvtr6`,t1.`bic`,t1.`blz`,t1.`branche`,t1.`briefanred`,t1.`cdate`,t1.`cuser`,t1.`deck_beit`,t1.`dupident`,t1.`einkverb`,t1.`einzug`,t1.`email`,t1.`entfernung`,t1.`fibu`,t1.`form_vtr`,t1.`funktelefo`,t1.`geburtstag`,t1.`gehoert_zu`,t1.`gm_url`,t1.`is_duplette`,t1.`kdgruppe`,t1.`kdnrab`,t1.`kdnrre`,t1.`kommunikation`,t1.`kontonumme`,t1.`kuabc`,t1.`kualzuab`,t1.`kuartrab1`,t1.`kuartrab2`,t1.`kuartrab3`,t1.`kuartrab4`,t1.`kuartrab5`,t1.`kuartrab6`,t1.`kuartrab7`,t1.`kuartrab8`,t1.`kuartrab9`,t1.`kuauslager`,t1.`kubran`,t1.`kufracht`,t1.`kuliefbed`,t1.`kundenart`,t1.`kundennumm`,t1.`kuprovis`,t1.`kutourtag`,t1.`kuumsatz`,t1.`kuumsvj`,t1.`kuumsvvj`,t1.`kuvershinw`,t1.`kuzahlbed`,t1.`ladressfeld`,t1.`land_pb`,t1.`lang`,t1.`lanrede`,t1.`ldate`,t1.`letzte_akte`,t1.`letzte_lieferun`,t1.`letzte_rechnung`,t1.`letzter_auftrag`,t1.`letzterauf`,t1.`letztes_anschreiben`,t1.`letztrech`,t1.`lieferant`,t1.`lieferstopp`,t1.`liefkopi`,t1.`limit1`,t1.`lkwdate`,t1.`lland_pb`,t1.`lmahnung`,t1.`lnachname`,t1.`lname`,t1.`lort`,t1.`lplz`,t1.`lstrasse`,t1.`lsv`,t1.`luser`,t1.`lvorname`,t1.`lzusatz`,t1.`lzusatz2`,t1.`lzusatz3`,t1.`mahnprofil`,t1.`mahnsperre`,t1.`matchcode`,t1.`mengenrabatt`,t1.`messe`,t1.`migriert`,t1.`mitkurz`,t1.`mwstkennun`,t1.`mwstkennuninfo`,t1.`nachname`,t1.`name`,t1.`oeffnungszeiten`,t1.`opnummer`,t1.`ort`,t1.`packzetteltext`,t1.`plz`,t1.`plzpostfac`,t1.`pm_mandant`,t1.`pm_std_satz`,t1.`postfachnu`,t1.`privat`,t1.`privatkunde`,t1.`produktkatalog`,t1.`rabatt`,t1.`rabattgrup`,t1.`radressfeld`,t1.`ranking`,t1.`ranrede`,t1.`rechnungs_kopie`,t1.`rland_pb`,t1.`rnachname`,t1.`rname`,t1.`rort`,t1.`rplz`,t1.`rstrasse`,t1.`rvorname`,t1.`rzusatz`,t1.`rzusatz2`,t1.`rzusatz3`,t1.`sachbearb1`,t1.`sachbearb2`,t1.`skype`,t1.`status`,t1.`steuercode`,t1.`strasse`,t1.`swift`,t1.`telefax`,t1.`telefon`,t1.`telefon2`,t1.`telefon_such`,t1.`terrorist`,t1.`ts_301`,t1.`ts_331`,t1.`ts_import`,t1.`umsatz2009`,t1.`umsatz2010`,t1.`umsatz2011`,t1.`umsatz2012`,t1.`umsatz2013`,t1.`umsatz2014`,t1.`umsatz2015`,t1.`umsatz2016`,t1.`umsatzgesamt`,t1.`umsatzsteu`,t1.`unsere_kdnr`,t1.`unsere_lief_nr`,t1.`versandart`,t1.`vorname`,t1.`waehrung_pb`,t1.`warntext`,t1.`warntext_buch`,t1.`webadresse`,t1.`zahlungszi`,t1.`zusatz`,t1.`zusatz2`,t1.`zusatz3` from vid_kunde t1   where status = 'J' and (privat = 'N' or cuser = 'Administrator')   limit 0,10 ;");
       
      	mysql_close(sock);
          return 0;
      }
      

      Attachments

        1. GNUmakefile
          0.5 kB
        2. intars_000141_empty.zip
          37 kB
        3. Test_MariaDB_main.c
          4 kB
        4. Test_MariaDB_ObjC_main.m
          9 kB
        5. Test_MariaDB_Workaround_main.c
          7 kB

        Activity

          People

            Unassigned Unassigned
            Pirmin Pirmin Braun
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.