Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-334

mysql_stmt_result_metadata() returns uninitialized memory and cause SEGFAULT

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.3.5, 3.0.4
    • Fix Version/s: 2.3.6, 3.0.5
    • Component/s: None
    • Labels:
      None

      Description

      Values name_length and table_length from mysql_fetch_field() returned by mysql_stmt_result_metadata() are sometime zero and sometimes uninitialized.

      Running application under valgrind resulted that reading name_length or table_length caused either "Use of uninitialised value of size 8" or "Conditional jump or move depends on uninitialised value(s)".

      This defect in MariaDB was found when developing Perl DBI driver DBD::MariaDB: http://github.com/gooddata/DBD-MariaDB. And is causing SEGFAULT of perl process when trying to use name_length from mysql_fetch_field().

      All versions of MariaDB 10.3 series are affected. Affected is also MariaDB 10.2 series since version 10.2.4. 10.2.3 and older works fine. Also all versions in MariaDB 5.5 series work fine.

      And affected are also all MariaDB Connector/C versions in 2.3 and 3.0 series.

      Simple C application for reproducing this problem is in the attachment. Compile it with:
      $ gcc test-length.c -o test-length `mysql_config --cflags --libs`

      Output for MariaDB 10.2.4 (affected):

      $ valgrind ./test-length 127.0.0.1 0 pali pali
      ==19697== Memcheck, a memory error detector
      ==19697== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
      ==19697== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
      ==19697== Command: ./test-length 127.0.0.1 0 pali pali
      ==19697== 
      ==19697== Use of uninitialised value of size 8
      ==19697==    at 0x50BF19B: _itoa_word (_itoa.c:179)
      ==19697==    by 0x50C3899: vfprintf (vfprintf.c:1636)
      ==19697==    by 0x50CA228: printf (printf.c:33)
      ==19697==    by 0x108E5A: main (in test-length)
      ==19697== 
      ==19697== Conditional jump or move depends on uninitialised value(s)
      ==19697==    at 0x50BF1A5: _itoa_word (_itoa.c:179)
      ==19697==    by 0x50C3899: vfprintf (vfprintf.c:1636)
      ==19697==    by 0x50CA228: printf (printf.c:33)
      ==19697==    by 0x108E5A: main (in test-length)
      ==19697== 
      ==19697== Conditional jump or move depends on uninitialised value(s)
      ==19697==    at 0x50C39A1: vfprintf (vfprintf.c:1636)
      ==19697==    by 0x50CA228: printf (printf.c:33)
      ==19697==    by 0x108E5A: main (in test-length)
      ==19697== 
      ==19697== Conditional jump or move depends on uninitialised value(s)
      ==19697==    at 0x50C2861: vfprintf (vfprintf.c:1636)
      ==19697==    by 0x50CA228: printf (printf.c:33)
      ==19697==    by 0x108E5A: main (in test-length)
      ==19697== 
      ==19697== Conditional jump or move depends on uninitialised value(s)
      ==19697==    at 0x50C28E2: vfprintf (vfprintf.c:1636)
      ==19697==    by 0x50CA228: printf (printf.c:33)
      ==19697==    by 0x108E5A: main (in test-length)
      ==19697== 
      field: name=Engine name_length=0 table=ENGINES table_length=0
      field: name=Support name_length=0 table=ENGINES table_length=0
      field: name=Comment name_length=0 table=ENGINES table_length=0
      field: name=Transactions name_length=0 table=ENGINES table_length=0
      field: name=XA name_length=0 table=ENGINES table_length=0
      field: name=Savepoints name_length=0 table=ENGINES table_length=0
      ==19697== 
      ==19697== HEAP SUMMARY:
      ==19697==     in use at exit: 0 bytes in 0 blocks
      ==19697==   total heap usage: 82 allocs, 82 frees, 79,277 bytes allocated
      ==19697== 
      ==19697== All heap blocks were freed -- no leaks are possible
      ==19697== 
      ==19697== For counts of detected and suppressed errors, rerun with: -v
      ==19697== Use --track-origins=yes to see where uninitialised values come from
      ==19697== ERROR SUMMARY: 60 errors from 5 contexts (suppressed: 0 from 0)
      

      According to documentation name_length should be length of name (strlen), not zero or uninitialised value.

      Output for MariaDB 10.2.3 (not affected)

      $ valgrind ./test-length 127.0.0.1 0 pali pali
      ==11107== Memcheck, a memory error detector
      ==11107== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
      ==11107== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
      ==11107== Command: ./test-length 127.0.0.1 0 pali pali
      ==11107== 
      field: name=Engine name_length=6 table=ENGINES table_length=7
      field: name=Support name_length=7 table=ENGINES table_length=7
      field: name=Comment name_length=7 table=ENGINES table_length=7
      field: name=Transactions name_length=12 table=ENGINES table_length=7
      field: name=XA name_length=2 table=ENGINES table_length=7
      field: name=Savepoints name_length=10 table=ENGINES table_length=7
      ==11107== 
      ==11107== HEAP SUMMARY:
      ==11107==     in use at exit: 0 bytes in 0 blocks
      ==11107==   total heap usage: 100 allocs, 100 frees, 248,721 bytes allocated
      ==11107== 
      ==11107== All heap blocks were freed -- no leaks are possible
      ==11107== 
      ==11107== For counts of detected and suppressed errors, rerun with: -v
      ==11107== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
      

      Here with older version it is correct.

      Note that MySQL 5.5, 5.6, 5.7 and 8.0 do not have this problem. It is MariaDB-only.

      This problems makes implementation of DBD::MariaDB perl driver problematic.

        Attachments

          Activity

            People

            Assignee:
            georg Georg Richter
            Reporter:
            pali Pali
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: