Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-12696

Crash with LOAD XML and non-updatable VIEW column

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.1(EOL), 10.2(EOL), 10.3(EOL)
    • 10.2.6
    • OTHER

    Description

      I dump some data into an XML file:

      mysql --xml -e "SELECT 'test' AS c1" >/tmp/dump.xml

      Now I create table and a view with a non-updatable column:

      CREATE OR REPLACE TABLE t1 (c1 TEXT);
      		 
      CREATE OR REPLACE VIEW v1 AS SELECT CONCAT(c1,'') AS c1 FROM t1;

      And try to load data into it:

      LOAD XML INFILE '/tmp/dump.xml' INTO TABLE v1 (c1);

      The server crashed, either immediately, or on the next query.

      The crash happens because read_xml_field casts item to Item_user_var_as_out_param without checking for proper Item type, in these two places:

              else
      		 
                ((Item_user_var_as_out_param *) item)->set_null_value(cs);
      		 
      ...
      		 
            else
      		 
              ((Item_user_var_as_out_param *) item)->set_value(
      		 
                                                       (char *) tag->value.ptr(), 
                                                       tag->value.length(), cs);

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          bar Alexander Barkov created issue -
          bar Alexander Barkov made changes -
          Field Original Value New Value
          Description I dump some data into an XML file:
          {noformat}
          mysql --xml -e "SELECT 'test' AS c1" >/tmp/dump.xml
          {noformat}

          Now I create table and a view with a non-updatable column:
          {code:sql}
          CREATE OR REPLACE TABLE t1 (c1 TEXT);
          CREATE OR REPLACE VIEW v1 AS SELECT CONCAT(c1,'') AS c1 FROM t1;
          {code}

          And try to load data into it:
          {code:sql}
          LOAD XML INFILE '/tmp/dump.xml' INTO TABLE v1 (c1);
          {code}
          		I dump some data into an XML file:
          {noformat}
          mysql --xml -e "SELECT 'test' AS c1" >/tmp/dump.xml
          {noformat}

          Now I create table and a view with a non-updatable column:
          {code:sql}
          CREATE OR REPLACE TABLE t1 (c1 TEXT);
          CREATE OR REPLACE VIEW v1 AS SELECT CONCAT(c1,'') AS c1 FROM t1;
          {code}

          And try to load data into it:
          {code:sql}
          LOAD XML INFILE '/tmp/dump.xml' INTO TABLE v1 (c1);
          {code}

          The server crashed, either immediately, or on the next query.
          bar Alexander Barkov made changes -
          Description I dump some data into an XML file:
          {noformat}
          mysql --xml -e "SELECT 'test' AS c1" >/tmp/dump.xml
          {noformat}

          Now I create table and a view with a non-updatable column:
          {code:sql}
          CREATE OR REPLACE TABLE t1 (c1 TEXT);
          CREATE OR REPLACE VIEW v1 AS SELECT CONCAT(c1,'') AS c1 FROM t1;
          {code}

          And try to load data into it:
          {code:sql}
          LOAD XML INFILE '/tmp/dump.xml' INTO TABLE v1 (c1);
          {code}

          The server crashed, either immediately, or on the next query.
          		I dump some data into an XML file:
          {noformat}
          mysql --xml -e "SELECT 'test' AS c1" >/tmp/dump.xml
          {noformat}

          Now I create table and a view with a non-updatable column:
          {code:sql}
          CREATE OR REPLACE TABLE t1 (c1 TEXT);
          CREATE OR REPLACE VIEW v1 AS SELECT CONCAT(c1,'') AS c1 FROM t1;
          {code}

          And try to load data into it:
          {code:sql}
          LOAD XML INFILE '/tmp/dump.xml' INTO TABLE v1 (c1);
          {code}

          The server crashed, either immediately, or on the next query.

          The crash happens because {{read_xml_field}} casts {{item}} to {{Item_user_var_as_out_param}} without checking for proper {{Item}} type, in these two places:
          {code:cpp}
                  else
                    ((Item_user_var_as_out_param *) item)->set_null_value(cs);
          ...
                else
                  ((Item_user_var_as_out_param *) item)->set_value(
                                                           (char *) tag->value.ptr(),
                                                           tag->value.length(), cs);
          {code}
          bar Alexander Barkov made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          bar Alexander Barkov made changes -
          Fix Version/s 10.2 [ 14601 ]
          Fix Version/s 10.3 [ 22126 ]
          bar Alexander Barkov made changes -
          Labels load_data
          bar Alexander Barkov made changes -
          issue.field.resolutiondate 2017-05-05 07:06:39.0 2017-05-05 07:06:39.098
          bar Alexander Barkov made changes -
          Fix Version/s 10.2.6 [ 22527 ]
          Fix Version/s 10.2 [ 14601 ]
          Resolution Fixed [ 1 ]
          Status In Progress [ 3 ] Closed [ 6 ]
          serg Sergei Golubchik made changes -
          Workflow MariaDB v3 [ 80615 ] MariaDB v4 [ 152093 ]

          People

            bar Alexander Barkov
            bar Alexander Barkov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.