[CONC-60] segfault when executing 'SELECT * FROM table' through connector/c++ on a specific table - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None
Environment:

Hide
Reproduced on Microsoft Windows and Debian GNU/Linux amd64.
LIbreOffice version 4.1 uses MySQL Connector/C++ 1.1.2 (statically) linked with libmariadb.
Reproduced when connecting to 5.6.12-enterprise-commercial-advanced-log and when connecting to 5.1.66-0+squeeze1 (Debian).

Reproduced with bzr revision 40 and bzr revision 101 (current tip of trunk) of libmariadb.

Show
Reproduced on Microsoft Windows and Debian GNU/Linux amd64. LIbreOffice version 4.1 uses MySQL Connector/C++ 1.1.2 (statically) linked with libmariadb. Reproduced when connecting to 5.6.12-enterprise-commercial-advanced-log and when connecting to 5.1.66-0+squeeze1 (Debian). Reproduced with bzr revision 40 and bzr revision 101 (current tip of trunk) of libmariadb.

Description

Original LibreOffice bug report: https://bugs.freedesktop.org/70496

When LibreOffice executes 'SELECT * FROM agendas' (via MySQL Connector/C++ 1.1.2) through a prepared statement (with no parameters), it leads to a segfault in libmariadb. When MySQL Connector/C++ is linked against libmysqlclient18 5.5.31+dfsg-0+wheezy1, the segfault does not happen.

The full original reproduction database can be downloaded from zip file in directory mysqldumps from
FTP server ftp://pmg.pmgroup.be
Login: algemeen
Password: loginftppmg
but I'm also attaching a smaller example.

Backtrace & other gdb information:

#0 net_field_length (packet=0x7fff57edd758)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/libmariadb.c:466
#1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
#2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
#3 0x00007f82b281e962 in sql::mysql::NativeAPI::LibmysqlStaticProxy::stmt_store_result (this=0x273e060, stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/libmysql_static_proxy.cpp:548
#4 0x00007f82b2820fc7 in sql::mysql::NativeAPI::MySQL_NativeStatementWrapper::store_result (this=0x291daf0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/mysql_native_statement_wrapper.cpp:233
#5 0x00007f82b27fd0c9 in sql::mysql::MySQL_Prepared_Statement::executeQuery (this=0x2917de0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/mysql_prepared_statement.cpp:494
#6 0x00007f82b2d1fbc8 in connectivity::mysqlc::OPreparedStatement::executeQuery (this=0x291c120)
at /home/master/src/libreoffice/workdirs/master/mysqlc/source/mysqlc_preparedstatement.cxx:282
(gdb) frame
#2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
1307 if (stmt->mysql->methods->db_stmt_read_all_rows(stmt))
(gdb) print *stmt
$5 = {
mem_root =

{ free = 0x0, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 2008, block_num = 0, first_block_usage = 0, error_handler = 0 }

,
mysql = 0x27459d0,
stmt_id = 10,
flags = 0,
state = MYSQL_STMT_WAITING_USE_OR_STORE,
fields = 0x291eec8,
field_count = 23,
param_count = 0,
send_types_to_server = 0 '\000',
params = 0x0,
bind = 0x291e448,
result = {
rows = 2307,
fields = 0,
data = 0x28d2318,
alloc =

{ free = 0x28d32f0, used = 0x29afb20, pre_alloc = 0x0, min_malloc = 32, block_size = 4056, block_num = 0, first_block_usage = 0, error_handler = 0 }

},
result_cursor = 0x0,
bind_result_done = 0 '\000',
bind_param_done = 1 '\001',
upsert_status =

{ warning_count = 0, server_status = 34, affected_rows = 18446744073709551615, last_insert_id = 0 }

,
last_errno = 0,
last_error = '\000' <repeats 512 times>,
sqlstate = "00000",
update_max_length = 1 '\001',
prefetch_rows = 1,
list =

{ prev = 0x0, next = 0x0, data = 0x291ce50 }

,
cursor_exists = 0 '\000',
extension = 0x291d9a0,
fetch_row_func = 0,
execute_count = 1,
default_rset_handler = 0x7f82b282c277 <_mysql_stmt_use_result>,
m = 0x0
}
(gdb) print *stmt->mysql
$6 = {
net =

{ vio = 0x2748560, buff = 0x2766100 "", buff_end = 0x2768100 "ҙ\231\231\231\231\231\aq", write_pos = 0x2766100 "", read_pos = 0x2766100 "", fd = 36, remain_in_buf = 0, length = 0, buf_length = 0, where_b = 0, max_packet = 8192, max_packet_size = 16777215, pkt_nr = 2334, compress_pkt_nr = 2334, write_timeout = 0, read_timeout = 30, retry_count = 0, fcntl = 0, return_status = 0x0, reading_or_writing = 0 '\000', save_char = 0 '\000', unused_1 = 0 '\000', unused_2 = 0 '\000', compress = 0 '\000', unused_3 = 0 '\000', unused_4 = 0x0, last_errno = 0, error = 0 '\000', unused_5 = 0 '\000', unused_6 = 0 '\000', last_error = '\000' <repeats 511 times>, sqlstate = "00000", extension = 0x0 }

,
unused_0 = 0x0,
host = 0x2748528 "127.0.0.1",
user = 0x2735790 "root",
passwd = 0x2741170 "XXXXXX_REMOVED_XXXXXXXX",
unix_socket = 0x0,
server_version = 0x2746270 "5.1.66-0+squeeze1",
host_info = 0x2748510 "127.0.0.1 via TCP/IP",
info = 0x0,
db = 0x27488a0 "fdo70496",
charset = 0x7f82b2a8fae0,
fields = 0x2920428,
field_alloc =

{ free = 0x2920410, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 8152, block_num = 0, first_block_usage = 0, error_handler = 0 }

,
affected_rows = 18446744073709551615,
insert_id = 0,
extra_info = 0,
thread_id = 330254,
packet_length = 7,
port = 3306,
client_flag = 2007693,
server_capabilities = 63487,
protocol_version = 10,
field_count = 23,
server_status = 34,
server_language = 8,
warning_count = 0,
options =

{ connect_timeout = 0, read_timeout = 0, write_timeout = 0, port = 0, protocol = 1, client_flag = 128, host = 0x0, user = 0x0, password = 0x0, unix_socket = 0x0, db = 0x0, init_command = 0x0, my_cnf_file = 0x0, my_cnf_group = 0x0, charset_dir = 0x0, charset_name = 0x27339e0 "utf8", ssl_key = 0x0, ssl_cert = 0x0, ssl_ca = 0x0, ssl_capath = 0x0, ssl_cipher = 0x0, shared_memory_base_name = 0x0, max_allowed_packet = 0, use_ssl = 0 '\000', compress = 0 '\000', named_pipe = 0 '\000', unused_1 = 0 '\000', unused_2 = 0 '\000', unused_3 = 0 '\000', unused_4 = 0 '\000', methods_to_use = MYSQL_OPT_CONNECT_TIMEOUT, client_ip = 0x0, secure_auth = 0 '\000', report_data_truncation = 0 '\000', local_infile_init = 0, local_infile_read = 0, local_infile_end = 0, local_infile_error = 0, local_infile_userdata = 0x0, extension = 0x27463b0 }

,
status = MYSQL_STATUS_GET_RESULT,
free_me = 1 '\001',
reconnect = 0 '\000',
scramble_buff = "RGP9m:vg$vKP2IVU(dAX",
unused_1 = 0 '\000',
unused_2 = 0x0,
unused_3 = 0x0,
unused_4 = 0x0,
unused_5 = 0x0,
stmts = 0x291d160,
methods = 0x7f82b2a9ada0,
thd = 0x0,
unbuffered_fetch_owner = 0x0,
info_buffer = 0x0,
extension = 0x0
}
(gdb) down
#1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
206 size_t len= net_field_length(&cp);
(gdb) print cp
$7 = (uchar *) 0x1876621f <Address 0x1876621f out of bounds>
(gdb) print i
$8 = 16

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

agendas_nodata.sql
1021 kB
2013-10-19 17:19
libreoffice.patch
1 kB
2013-10-21 13:45
LOG
8 kB
2013-10-21 15:44
mariadb-native-client.patch
0.4 kB
2013-10-21 13:42
REPRODUCTION_SCRIPT
2 kB
2013-10-21 13:40
tst.odb
2 kB
2013-10-21 13:41

Activity

Ascending order - Click to sort in descending order

View 8 older comments

Lionel Elie Mamane added a comment - 2013-10-21 15:44

Anyway, here is what happens before the mysql_stmt_store_result

Lionel Elie Mamane added a comment - 2013-10-21 15:44 Anyway, here is what happens before the mysql_stmt_store_result

Georg Richter added a comment - 2013-10-27 18:24

Can you please retest with latest revision (104). I did some rework on prepared statements (max_length for double was not set correctly).
If the problem persiists, can you please activate the debug log and attach it to the bugreport? (export MYSQL_DEBUG=d:t:O,/pathto/debug.log)

Georg Richter added a comment - 2013-10-27 18:24 Can you please retest with latest revision (104). I did some rework on prepared statements (max_length for double was not set correctly). If the problem persiists, can you please activate the debug log and attach it to the bugreport? (export MYSQL_DEBUG=d:t:O,/pathto/debug.log)

Lionel Elie Mamane added a comment - 2013-10-28 15:44

Reproduced with revision 105, with much the same backtrace:

#0 net_field_length (packet=packet@entry=0x7ffff78e3818)
at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/libmariadb.c:466
466 if (*pos < 251)
(gdb) bt
#0 net_field_length (packet=packet@entry=0x7ffff78e3818)
at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/libmariadb.c:466
#1 0x00007f30d9d28e93 in mthd_stmt_read_all_rows (stmt=0x32fe5d0)
at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/my_stmt.c:210
#2 0x00007f30d9d2aba1 in mysql_stmt_store_result (stmt=0x32fe5d0)
at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/my_stmt.c:1339
#3 0x00007f30d9d1f332 in sql::mysql::NativeAPI::LibmysqlStaticProxy::stmt_store_result (this=0x31313b0, stmt=
0x32fe5d0)
at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/libmysql_static_proxy.cpp:548

Lionel Elie Mamane added a comment - 2013-10-28 15:44 Reproduced with revision 105, with much the same backtrace: #0 net_field_length (packet=packet@entry=0x7ffff78e3818) at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/libmariadb.c:466 466 if (*pos < 251) (gdb) bt #0 net_field_length (packet=packet@entry=0x7ffff78e3818) at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/libmariadb.c:466 #1 0x00007f30d9d28e93 in mthd_stmt_read_all_rows (stmt=0x32fe5d0) at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/my_stmt.c:210 #2 0x00007f30d9d2aba1 in mysql_stmt_store_result (stmt=0x32fe5d0) at /home/master/src/libreoffice/mariadb/mariadb-native-client.trunk/libmariadb/my_stmt.c:1339 #3 0x00007f30d9d1f332 in sql::mysql::NativeAPI::LibmysqlStaticProxy::stmt_store_result (this=0x31313b0, stmt= 0x32fe5d0) at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/libmysql_static_proxy.cpp:548

Georg Richter added a comment - 2013-10-28 22:49

Hi,

unfortunately I wasn't able to build LibreOffice. Would it be possible to get access to your machine or to install it on one of our test machines?
You can reach me usually on irc (freenode channel #maria, nickname georg(with some underscores)) or via mail my firstname@mariadb dot com. Since we want to publish the next release before end of the year I like to close/fix this bug asap.

Thanks for your help!

Georg Richter added a comment - 2013-10-28 22:49 Hi, unfortunately I wasn't able to build LibreOffice. Would it be possible to get access to your machine or to install it on one of our test machines? You can reach me usually on irc (freenode channel #maria, nickname georg(with some underscores)) or via mail my firstname@mariadb dot com. Since we want to publish the next release before end of the year I like to close/fix this bug asap. Thanks for your help!

Georg Richter added a comment - 2013-11-20 20:49

Fixed in rev. 107.

Special thanks to Lionel for his tremendous help!

Georg Richter added a comment - 2013-11-20 20:49 Fixed in rev. 107. Special thanks to Lionel for his tremendous help!

MariaDB Connector/C

segfault when executing 'SELECT * FROM table' through connector/c++ on a specific table

Details

Description

Attachments

Attachments

Activity

People

Dates

Git Integration