Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-60

segfault when executing 'SELECT * FROM table' through connector/c++ on a specific table

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • None
    • None
    • None
    • None

    Description

      Original LibreOffice bug report: https://bugs.freedesktop.org/70496

      When LibreOffice executes 'SELECT * FROM agendas' (via MySQL Connector/C++ 1.1.2) through a prepared statement (with no parameters), it leads to a segfault in libmariadb. When MySQL Connector/C++ is linked against libmysqlclient18 5.5.31+dfsg-0+wheezy1, the segfault does not happen.

      The full original reproduction database can be downloaded from zip file in directory mysqldumps from
      FTP server ftp://pmg.pmgroup.be
      Login: algemeen
      Password: loginftppmg
      but I'm also attaching a smaller example.

      Backtrace & other gdb information:

      #0 net_field_length (packet=0x7fff57edd758)
      at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/libmariadb.c:466
      #1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
      at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
      #2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
      at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
      #3 0x00007f82b281e962 in sql::mysql::NativeAPI::LibmysqlStaticProxy::stmt_store_result (this=0x273e060, stmt=0x291ce50)
      at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/libmysql_static_proxy.cpp:548
      #4 0x00007f82b2820fc7 in sql::mysql::NativeAPI::MySQL_NativeStatementWrapper::store_result (this=0x291daf0)
      at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/nativeapi/mysql_native_statement_wrapper.cpp:233
      #5 0x00007f82b27fd0c9 in sql::mysql::MySQL_Prepared_Statement::executeQuery (this=0x2917de0)
      at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mysqlcppconn/driver/mysql_prepared_statement.cpp:494
      #6 0x00007f82b2d1fbc8 in connectivity::mysqlc::OPreparedStatement::executeQuery (this=0x291c120)
      at /home/master/src/libreoffice/workdirs/master/mysqlc/source/mysqlc_preparedstatement.cxx:282
      (gdb) frame
      #2 0x00007f82b282ff3a in mysql_stmt_store_result (stmt=0x291ce50)
      at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:1307
      1307 if (stmt->mysql->methods->db_stmt_read_all_rows(stmt))
      (gdb) print *stmt
      $5 = {
      mem_root =

      { free = 0x0, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 2008, block_num = 0, first_block_usage = 0, error_handler = 0 }

      ,
      mysql = 0x27459d0,
      stmt_id = 10,
      flags = 0,
      state = MYSQL_STMT_WAITING_USE_OR_STORE,
      fields = 0x291eec8,
      field_count = 23,
      param_count = 0,
      send_types_to_server = 0 '\000',
      params = 0x0,
      bind = 0x291e448,
      result = {
      rows = 2307,
      fields = 0,
      data = 0x28d2318,
      alloc =

      { free = 0x28d32f0, used = 0x29afb20, pre_alloc = 0x0, min_malloc = 32, block_size = 4056, block_num = 0, first_block_usage = 0, error_handler = 0 }

      },
      result_cursor = 0x0,
      bind_result_done = 0 '\000',
      bind_param_done = 1 '\001',
      upsert_status =

      { warning_count = 0, server_status = 34, affected_rows = 18446744073709551615, last_insert_id = 0 }

      ,
      last_errno = 0,
      last_error = '\000' <repeats 512 times>,
      sqlstate = "00000",
      update_max_length = 1 '\001',
      prefetch_rows = 1,
      list =

      { prev = 0x0, next = 0x0, data = 0x291ce50 }

      ,
      cursor_exists = 0 '\000',
      extension = 0x291d9a0,
      fetch_row_func = 0,
      execute_count = 1,
      default_rset_handler = 0x7f82b282c277 <_mysql_stmt_use_result>,
      m = 0x0
      }
      (gdb) print *stmt->mysql
      $6 = {
      net =

      { vio = 0x2748560, buff = 0x2766100 "", buff_end = 0x2768100 "ҙ\231\231\231\231\231\aq", write_pos = 0x2766100 "", read_pos = 0x2766100 "", fd = 36, remain_in_buf = 0, length = 0, buf_length = 0, where_b = 0, max_packet = 8192, max_packet_size = 16777215, pkt_nr = 2334, compress_pkt_nr = 2334, write_timeout = 0, read_timeout = 30, retry_count = 0, fcntl = 0, return_status = 0x0, reading_or_writing = 0 '\000', save_char = 0 '\000', unused_1 = 0 '\000', unused_2 = 0 '\000', compress = 0 '\000', unused_3 = 0 '\000', unused_4 = 0x0, last_errno = 0, error = 0 '\000', unused_5 = 0 '\000', unused_6 = 0 '\000', last_error = '\000' <repeats 511 times>, sqlstate = "00000", extension = 0x0 }

      ,
      unused_0 = 0x0,
      host = 0x2748528 "127.0.0.1",
      user = 0x2735790 "root",
      passwd = 0x2741170 "XXXXXX_REMOVED_XXXXXXXX",
      unix_socket = 0x0,
      server_version = 0x2746270 "5.1.66-0+squeeze1",
      host_info = 0x2748510 "127.0.0.1 via TCP/IP",
      info = 0x0,
      db = 0x27488a0 "fdo70496",
      charset = 0x7f82b2a8fae0,
      fields = 0x2920428,
      field_alloc =

      { free = 0x2920410, used = 0x0, pre_alloc = 0x0, min_malloc = 32, block_size = 8152, block_num = 0, first_block_usage = 0, error_handler = 0 }

      ,
      affected_rows = 18446744073709551615,
      insert_id = 0,
      extra_info = 0,
      thread_id = 330254,
      packet_length = 7,
      port = 3306,
      client_flag = 2007693,
      server_capabilities = 63487,
      protocol_version = 10,
      field_count = 23,
      server_status = 34,
      server_language = 8,
      warning_count = 0,
      options =

      { connect_timeout = 0, read_timeout = 0, write_timeout = 0, port = 0, protocol = 1, client_flag = 128, host = 0x0, user = 0x0, password = 0x0, unix_socket = 0x0, db = 0x0, init_command = 0x0, my_cnf_file = 0x0, my_cnf_group = 0x0, charset_dir = 0x0, charset_name = 0x27339e0 "utf8", ssl_key = 0x0, ssl_cert = 0x0, ssl_ca = 0x0, ssl_capath = 0x0, ssl_cipher = 0x0, shared_memory_base_name = 0x0, max_allowed_packet = 0, use_ssl = 0 '\000', compress = 0 '\000', named_pipe = 0 '\000', unused_1 = 0 '\000', unused_2 = 0 '\000', unused_3 = 0 '\000', unused_4 = 0 '\000', methods_to_use = MYSQL_OPT_CONNECT_TIMEOUT, client_ip = 0x0, secure_auth = 0 '\000', report_data_truncation = 0 '\000', local_infile_init = 0, local_infile_read = 0, local_infile_end = 0, local_infile_error = 0, local_infile_userdata = 0x0, extension = 0x27463b0 }

      ,
      status = MYSQL_STATUS_GET_RESULT,
      free_me = 1 '\001',
      reconnect = 0 '\000',
      scramble_buff = "RGP9m:vg$vKP2IVU(dAX",
      unused_1 = 0 '\000',
      unused_2 = 0x0,
      unused_3 = 0x0,
      unused_4 = 0x0,
      unused_5 = 0x0,
      stmts = 0x291d160,
      methods = 0x7f82b2a9ada0,
      thd = 0x0,
      unbuffered_fetch_owner = 0x0,
      info_buffer = 0x0,
      extension = 0x0
      }
      (gdb) down
      #1 0x00007f82b282b990 in mthd_stmt_read_all_rows (stmt=0x291ce50)
      at /home/master/src/libreoffice/workdirs/master/workdir/unxlngx6/UnpackedTarball/mariadb/libmariadb/my_stmt.c:206
      206 size_t len= net_field_length(&cp);
      (gdb) print cp
      $7 = (uchar *) 0x1876621f <Address 0x1876621f out of bounds>
      (gdb) print i
      $8 = 16

      Attachments

        1. agendas_nodata.sql
          1021 kB
          Lionel Elie Mamane
        2. libreoffice.patch
          1 kB
          Lionel Elie Mamane
        3. LOG
          8 kB
          Lionel Elie Mamane
        4. mariadb-native-client.patch
          0.4 kB
          Lionel Elie Mamane
        5. REPRODUCTION_SCRIPT
          2 kB
          Lionel Elie Mamane
        6. tst.odb
          2 kB
          Lionel Elie Mamane

        Activity

          People

            georg Georg Richter
            lmamane Lionel Elie Mamane
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.