[CONC-60] segfault when executing 'SELECT * FROM table' through connector/c++ on a specific table - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None
Environment:

Hide
Reproduced on Microsoft Windows and Debian GNU/Linux amd64.
LIbreOffice version 4.1 uses MySQL Connector/C++ 1.1.2 (statically) linked with libmariadb.
Reproduced when connecting to 5.6.12-enterprise-commercial-advanced-log and when connecting to 5.1.66-0+squeeze1 (Debian).

Reproduced with bzr revision 40 and bzr revision 101 (current tip of trunk) of libmariadb.

Show
Reproduced on Microsoft Windows and Debian GNU/Linux amd64. LIbreOffice version 4.1 uses MySQL Connector/C++ 1.1.2 (statically) linked with libmariadb. Reproduced when connecting to 5.6.12-enterprise-commercial-advanced-log and when connecting to 5.1.66-0+squeeze1 (Debian). Reproduced with bzr revision 40 and bzr revision 101 (current tip of trunk) of libmariadb.

Description

Original LibreOffice bug report: https://bugs.freedesktop.org/70496

When LibreOffice executes 'SELECT * FROM agendas' (via MySQL Connector/C++ 1.1.2) through a prepared statement (with no parameters), it leads to a segfault in libmariadb. When MySQL Connector/C++ is linked against libmysqlclient18 5.5.31+dfsg-0+wheezy1, the segfault does not happen.

The full original reproduction database can be downloaded from zip file in directory mysqldumps from
FTP server ftp://pmg.pmgroup.be
Login: algemeen
Password: loginftppmg
but I'm also attaching a smaller example.

Backtrace & other gdb information:

#0 net_field_length (packet=0x7fff57edd758)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/libmariadb.c:466
#1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
#2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
#3 0x00007f82b281e962 in sql::mysql::NativeAPI::LibmysqlStaticProxy::stmt_store_result (this=0x273e060, stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/libmysql_static_proxy.cpp:548
#4 0x00007f82b2820fc7 in sql::mysql::NativeAPI::MySQL_NativeStatementWrapper::store_result (this=0x291daf0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/mysql_native_statement_wrapper.cpp:233
#5 0x00007f82b27fd0c9 in sql::mysql::MySQL_Prepared_Statement::executeQuery (this=0x2917de0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/mysql_prepared_statement.cpp:494
#6 0x00007f82b2d1fbc8 in connectivity::mysqlc::OPreparedStatement::executeQuery (this=0x291c120)
at /home/master/src/libreoffice/workdirs/master/mysqlc/source/mysqlc_preparedstatement.cxx:282
(gdb) frame
#2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
1307 if (stmt->mysql->methods->db_stmt_read_all_rows(stmt))
(gdb) print *stmt
$5 = {
mem_root =

{ free = 0x0, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 2008, block_num = 0, first_block_usage = 0, error_handler = 0 }

,
mysql = 0x27459d0,
stmt_id = 10,
flags = 0,
state = MYSQL_STMT_WAITING_USE_OR_STORE,
fields = 0x291eec8,
field_count = 23,
param_count = 0,
send_types_to_server = 0 '\000',
params = 0x0,
bind = 0x291e448,
result = {
rows = 2307,
fields = 0,
data = 0x28d2318,
alloc =

{ free = 0x28d32f0, used = 0x29afb20, pre_alloc = 0x0, min_malloc = 32, block_size = 4056, block_num = 0, first_block_usage = 0, error_handler = 0 }

},
result_cursor = 0x0,
bind_result_done = 0 '\000',
bind_param_done = 1 '\001',
upsert_status =

{ warning_count = 0, server_status = 34, affected_rows = 18446744073709551615, last_insert_id = 0 }

,
last_errno = 0,
last_error = '\000' <repeats 512 times>,
sqlstate = "00000",
update_max_length = 1 '\001',
prefetch_rows = 1,
list =

{ prev = 0x0, next = 0x0, data = 0x291ce50 }

,
cursor_exists = 0 '\000',
extension = 0x291d9a0,
fetch_row_func = 0,
execute_count = 1,
default_rset_handler = 0x7f82b282c277 <_mysql_stmt_use_result>,
m = 0x0
}
(gdb) print *stmt->mysql
$6 = {
net =

{ vio = 0x2748560, buff = 0x2766100 "", buff_end = 0x2768100 "ҙ\231\231\231\231\231\aq", write_pos = 0x2766100 "", read_pos = 0x2766100 "", fd = 36, remain_in_buf = 0, length = 0, buf_length = 0, where_b = 0, max_packet = 8192, max_packet_size = 16777215, pkt_nr = 2334, compress_pkt_nr = 2334, write_timeout = 0, read_timeout = 30, retry_count = 0, fcntl = 0, return_status = 0x0, reading_or_writing = 0 '\000', save_char = 0 '\000', unused_1 = 0 '\000', unused_2 = 0 '\000', compress = 0 '\000', unused_3 = 0 '\000', unused_4 = 0x0, last_errno = 0, error = 0 '\000', unused_5 = 0 '\000', unused_6 = 0 '\000', last_error = '\000' <repeats 511 times>, sqlstate = "00000", extension = 0x0 }

,
unused_0 = 0x0,
host = 0x2748528 "127.0.0.1",
user = 0x2735790 "root",
passwd = 0x2741170 "XXXXXX_REMOVED_XXXXXXXX",
unix_socket = 0x0,
server_version = 0x2746270 "5.1.66-0+squeeze1",
host_info = 0x2748510 "127.0.0.1 via TCP/IP",
info = 0x0,
db = 0x27488a0 "fdo70496",
charset = 0x7f82b2a8fae0,
fields = 0x2920428,
field_alloc =

{ free = 0x2920410, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 8152, block_num = 0, first_block_usage = 0, error_handler = 0 }

,
affected_rows = 18446744073709551615,
insert_id = 0,
extra_info = 0,
thread_id = 330254,
packet_length = 7,
port = 3306,
client_flag = 2007693,
server_capabilities = 63487,
protocol_version = 10,
field_count = 23,
server_status = 34,
server_language = 8,
warning_count = 0,
options =

{ connect_timeout = 0, read_timeout = 0, write_timeout = 0, port = 0, protocol = 1, client_flag = 128, host = 0x0, user = 0x0, password = 0x0, unix_socket = 0x0, db = 0x0, init_command = 0x0, my_cnf_file = 0x0, my_cnf_group = 0x0, charset_dir = 0x0, charset_name = 0x27339e0 "utf8", ssl_key = 0x0, ssl_cert = 0x0, ssl_ca = 0x0, ssl_capath = 0x0, ssl_cipher = 0x0, shared_memory_base_name = 0x0, max_allowed_packet = 0, use_ssl = 0 '\000', compress = 0 '\000', named_pipe = 0 '\000', unused_1 = 0 '\000', unused_2 = 0 '\000', unused_3 = 0 '\000', unused_4 = 0 '\000', methods_to_use = MYSQL_OPT_CONNECT_TIMEOUT, client_ip = 0x0, secure_auth = 0 '\000', report_data_truncation = 0 '\000', local_infile_init = 0, local_infile_read = 0, local_infile_end = 0, local_infile_error = 0, local_infile_userdata = 0x0, extension = 0x27463b0 }

,
status = MYSQL_STATUS_GET_RESULT,
free_me = 1 '\001',
reconnect = 0 '\000',
scramble_buff = "RGP9m:vg$vKP2IVU(dAX",
unused_1 = 0 '\000',
unused_2 = 0x0,
unused_3 = 0x0,
unused_4 = 0x0,
unused_5 = 0x0,
stmts = 0x291d160,
methods = 0x7f82b2a9ada0,
thd = 0x0,
unbuffered_fetch_owner = 0x0,
info_buffer = 0x0,
extension = 0x0
}
(gdb) down
#1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
206 size_t len= net_field_length(&cp);
(gdb) print cp
$7 = (uchar *) 0x1876621f <Address 0x1876621f out of bounds>
(gdb) print i
$8 = 16

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

agendas_nodata.sql
1021 kB
2013-10-19 17:19
libreoffice.patch
1 kB
2013-10-21 13:45
LOG
8 kB
2013-10-21 15:44
mariadb-native-client.patch
0.4 kB
2013-10-21 13:42
REPRODUCTION_SCRIPT
2 kB
2013-10-21 13:40
tst.odb
2 kB
2013-10-21 13:41

segfault when executing 'SELECT * FROM table' through connector/c++ on a specific table

Details

Description

Attachments

Attachments

Activity

People

Dates

Git Integration