[MDEV-16698] ASAN: heap-use-after-free in field_longstr::uncompress - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11
Fix Version/s: 10.5, 10.6, 10.11, 11.2, 11.4
Component/s: None
Labels:
None

Description

CREATE TABLE t5 (

  i1 smallint(11) unsigned zerofill ,

  e1 enum('','a') ,

  b1 mediumblob /*!100301 COMPRESSED*/ ,

  d2 date NOT NULL DEFAULT '1900-01-01',

  pk bigint(20) unsigned NOT NULL DEFAULT 0,

  d1 timestamp NULL ,

  v1 varbinary(3362) ,

  t1 time NOT NULL DEFAULT '00:00:00'

);

INSERT INTO t5 VALUES (00000000004,'','ufhjdtv','1992-07-25',1,'2035-06-05 09:02:48','f','13:25:21'),(00000000001,'','jdt','1998-07-03',2,'1994-05-05 19:59:20','','09:09:19'),(00000000000,'','d','2007-12-05',3,'0000-00-00 00:00:00','tvs','02:51:15');

SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1),

    IF(t5.d1, t5.t1, t5.d1), t5.v1,

    IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1

    ORDER BY 2,6 SEPARATOR ';')

FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk));

Version: '10.3.9-MariaDB-debug-log'

=================================================================

==19272==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000cd70 at pc 0x557c02b7bf40 bp 0x7fe6e3cd3400 sp 0x7fe6e3cd33f0

READ of size 1 at 0x60c00000cd70 thread T5

    #0 0x557c02b7bf3f in Field_longstr::uncompress(String*, String*, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8041

    #1 0x557c02b83eb4 in Field_blob_compressed::val_str(String*, String*) /home/alice/git/10.3/sql/field.cc:8717

    #2 0x557c022c47d9 in Field::val_str(String*) /home/alice/git/10.3/sql/field.h:839

    #3 0x557c02b9d2a1 in Field::val_str(String*, unsigned char const*) /home/alice/git/10.3/sql/field.h:1327

    #4 0x557c02e04f8f in dump_leaf_key /home/alice/git/10.3/sql/item_sum.cc:3597

    #5 0x557c03c95bbd in tree_walk_left_root_right /home/alice/git/10.3/mysys/tree.c:591

    #6 0x557c03c95add in tree_walk_left_root_right /home/alice/git/10.3/mysys/tree.c:590

    #7 0x557c03c95a32 in tree_walk /home/alice/git/10.3/mysys/tree.c:578

    #8 0x557c02e0abdc in Item_func_group_concat::val_str(String*) /home/alice/git/10.3/sql/item_sum.cc:4118

    #9 0x557c0297119d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /home/alice/git/10.3/sql/sql_type.cc:5271

    #10 0x557c02978667 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const (/home/alice/git/10.3/sql/mysqld+0x140e667)

    #11 0x557c022c7deb in Item::send(Protocol*, st_value*) /home/alice/git/10.3/sql/item.h:877

    #12 0x557c022bbb15 in Protocol::send_result_set_row(List<Item>*) /home/alice/git/10.3/sql/protocol.cc:986

    #13 0x557c02424e25 in select_send::send_data(List<Item>&) /home/alice/git/10.3/sql/sql_class.cc:2932

    #14 0x557c02623f02 in end_send_group(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:20599

    #15 0x557c02619772 in sub_select(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19222

    #16 0x557c026192d6 in sub_select_cache(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19054

    #17 0x557c02619772 in sub_select(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19222

    #18 0x557c026183e6 in do_select /home/alice/git/10.3/sql/sql_select.cc:18813

    #19 0x557c025b7c0c in JOIN::exec_inner() /home/alice/git/10.3/sql/sql_select.cc:4021

    #20 0x557c025b5951 in JOIN::exec() /home/alice/git/10.3/sql/sql_select.cc:3815

    #21 0x557c025b8d23 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.3/sql/sql_select.cc:4220

    #22 0x557c02594568 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.3/sql/sql_select.cc:382

    #23 0x557c0251a0b9 in execute_sqlcom_select /home/alice/git/10.3/sql/sql_parse.cc:6542

    #24 0x557c025088cc in mysql_execute_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:3765

    #25 0x557c025229c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:8073

    #26 0x557c024fd6ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:1847

    #27 0x557c024fa846 in do_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:1392

    #28 0x557c02849ca1 in do_handle_one_connection(CONNECT*) /home/alice/git/10.3/sql/sql_connect.cc:1402

    #29 0x557c0284967e in handle_one_connection /home/alice/git/10.3/sql/sql_connect.cc:1308

    #30 0x557c03b611d4 in pfs_spawn_thread /home/alice/git/10.3/storage/perfschema/pfs.cc:1862

    #31 0x7fe6ee6336b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #32 0x7fe6edac841c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Attachments

Issue Links

relates to

MDEV-16699 heap-use-after-free in group_concat with compressed or GIS columns

Closed

Activity

People

Assignee:: Alexander Barkov

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2018-07-05 12:45

Updated:: 6 hours ago

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.