Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-12416

OOM in create_virtual_tmp_table() makes the server crash

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.2
    • Fix Version/s: 10.2.5
    • Component/s: OTHER
    • Labels:
      None

      Description

      If OOM (out of memory) happens inside create_virtual_tmp_table(), the server can crash.

      There are two problems:

      1. If OOM happens inside multi_alloc_root in Virtual_tmp_table::init, then the member TABLE::s is left to be a NULL pointer. The destructor calls destruct_fields() without a test that TABLE::s was really allocated. It should test that s is not NULL before calling destruct_fields.

      2. The class Virtual_tmp_table overrides the operator new to allocate itself on mem_root, but it does not override the operator delete, which is mapped to the system function free() by default. As a result free() is called for something which was never allocated with the system function malloc(). The class Virtual_tmp_table should override operator delete.

      The problem was introduced by the patch for MDEV-9238 in 10.2.0.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              bar Alexander Barkov
              Reporter:
              bar Alexander Barkov
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: