Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
None
-
None
-
None
-
None
-
Reproduced on Microsoft Windows and Debian GNU/Linux amd64.
LIbreOffice version 4.1 uses MySQL Connector/C++ 1.1.2 (statically) linked with libmariadb.
Reproduced when connecting to 5.6.12-enterprise-commercial-advanced-log and when connecting to 5.1.66-0+squeeze1 (Debian).
Reproduced with bzr revision 40 and bzr revision 101 (current tip of trunk) of libmariadb.Reproduced on Microsoft Windows and Debian GNU/Linux amd64. LIbreOffice version 4.1 uses MySQL Connector/C++ 1.1.2 (statically) linked with libmariadb. Reproduced when connecting to 5.6.12-enterprise-commercial-advanced-log and when connecting to 5.1.66-0+squeeze1 (Debian). Reproduced with bzr revision 40 and bzr revision 101 (current tip of trunk) of libmariadb.
Description
Original LibreOffice bug report: https://bugs.freedesktop.org/70496
When LibreOffice executes 'SELECT * FROM agendas' (via MySQL Connector/C++ 1.1.2) through a prepared statement (with no parameters), it leads to a segfault in libmariadb. When MySQL Connector/C++ is linked against libmysqlclient18 5.5.31+dfsg-0+wheezy1, the segfault does not happen.
The full original reproduction database can be downloaded from zip file in directory mysqldumps from
FTP server ftp://pmg.pmgroup.be
Login: algemeen
Password: loginftppmg
but I'm also attaching a smaller example.
Backtrace & other gdb information:
#0 net_field_length (packet=0x7fff57edd758)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/libmariadb.c:466
#1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
#2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
#3 0x00007f82b281e962 in sql::mysql::NativeAPI::LibmysqlStaticProxy::stmt_store_result (this=0x273e060, stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/libmysql_static_proxy.cpp:548
#4 0x00007f82b2820fc7 in sql::mysql::NativeAPI::MySQL_NativeStatementWrapper::store_result (this=0x291daf0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/mysql_native_statement_wrapper.cpp:233
#5 0x00007f82b27fd0c9 in sql::mysql::MySQL_Prepared_Statement::executeQuery (this=0x2917de0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/mysql_prepared_statement.cpp:494
#6 0x00007f82b2d1fbc8 in connectivity::mysqlc::OPreparedStatement::executeQuery (this=0x291c120)
at /home/master/src/libreoffice/workdirs/master/mysqlc/source/mysqlc_preparedstatement.cxx:282
(gdb) frame
#2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
1307 if (stmt->mysql->methods->db_stmt_read_all_rows(stmt))
(gdb) print *stmt
$5 = {
mem_root =
,
mysql = 0x27459d0,
stmt_id = 10,
flags = 0,
state = MYSQL_STMT_WAITING_USE_OR_STORE,
fields = 0x291eec8,
field_count = 23,
param_count = 0,
send_types_to_server = 0 '\000',
params = 0x0,
bind = 0x291e448,
result = {
rows = 2307,
fields = 0,
data = 0x28d2318,
alloc =
},
result_cursor = 0x0,
bind_result_done = 0 '\000',
bind_param_done = 1 '\001',
upsert_status =
,
last_errno = 0,
last_error = '\000' <repeats 512 times>,
sqlstate = "00000",
update_max_length = 1 '\001',
prefetch_rows = 1,
list =
,
cursor_exists = 0 '\000',
extension = 0x291d9a0,
fetch_row_func = 0,
execute_count = 1,
default_rset_handler = 0x7f82b282c277 <_mysql_stmt_use_result>,
m = 0x0
}
(gdb) print *stmt->mysql
$6 = {
net =
,
unused_0 = 0x0,
host = 0x2748528 "127.0.0.1",
user = 0x2735790 "root",
passwd = 0x2741170 "XXXXXX_REMOVED_XXXXXXXX",
unix_socket = 0x0,
server_version = 0x2746270 "5.1.66-0+squeeze1",
host_info = 0x2748510 "127.0.0.1 via TCP/IP",
info = 0x0,
db = 0x27488a0 "fdo70496",
charset = 0x7f82b2a8fae0,
fields = 0x2920428,
field_alloc =
,
affected_rows = 18446744073709551615,
insert_id = 0,
extra_info = 0,
thread_id = 330254,
packet_length = 7,
port = 3306,
client_flag = 2007693,
server_capabilities = 63487,
protocol_version = 10,
field_count = 23,
server_status = 34,
server_language = 8,
warning_count = 0,
options =
,
status = MYSQL_STATUS_GET_RESULT,
free_me = 1 '\001',
reconnect = 0 '\000',
scramble_buff = "RGP9m:vg$vKP2IVU(dAX",
unused_1 = 0 '\000',
unused_2 = 0x0,
unused_3 = 0x0,
unused_4 = 0x0,
unused_5 = 0x0,
stmts = 0x291d160,
methods = 0x7f82b2a9ada0,
thd = 0x0,
unbuffered_fetch_owner = 0x0,
info_buffer = 0x0,
extension = 0x0
}
(gdb) down
#1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
206 size_t len= net_field_length(&cp);
(gdb) print cp
$7 = (uchar *) 0x1876621f <Address 0x1876621f out of bounds>
(gdb) print i
$8 = 16