Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16699

heap-use-after-free in group_concat with compressed or GIS columns

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2, 11.3(EOL), 11.4, 11.5(EOL)
    • 10.5.27, 10.6.20, 10.11.10, 11.2.6, 11.4.4
    • Server
    • None

    Description

      CREATE TABLE t5 (
      		 
        i1 smallint(11) unsigned zerofill ,
      		 
        e1 enum('','a') ,
      		 
        b1 mediumblob /*!100301 COMPRESSED*/ ,
      		 
        d2 date NOT NULL DEFAULT '1900-01-01',
      		 
        pk bigint(20) unsigned NOT NULL DEFAULT 0,
      		 
        d1 timestamp NULL ,
      		 
        v1 varbinary(3362) ,
      		 
        t1 time NOT NULL DEFAULT '00:00:00'
      		 
      );
      		 
       
      		 
      INSERT INTO t5 VALUES (00000000004,'','ufhjdtv','1992-07-25',1,'2035-06-05 09:02:48','f','13:25:21'),(00000000001,'','jdt','1998-07-03',2,'1994-05-05 19:59:20','','09:09:19'),(00000000000,'','d','2007-12-05',3,'0000-00-00 00:00:00','tvs','02:51:15');
      		 
       
      		 
      SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1), 
          IF(t5.d1, t5.t1, t5.d1), t5.v1, 
          IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1
      		 
          ORDER BY 2,6,1,7,4,3,5 SEPARATOR ';') 
      FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk));


       10.3 commit 1748a31ae8d69e49
      		 
      Version: '10.3.9-MariaDB-debug-log'  socket: '/home/alice/git/10.3/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
      		 
      =================================================================
      		 
      ==22714==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000cd70 at pc 0x7f2a7f953676 bp 0x7f2a73e24900 sp 0x7f2a73e240a8
      		 
      READ of size 2 at 0x60c00000cd70 thread T5
      		 
          #0 0x7f2a7f953675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
      		 
          #1 0x55ead621f4e2 in my_strnncoll_binary /home/alice/git/10.3/strings/ctype-bin.c:85
      		 
          #2 0x55ead621f565 in my_strnncollsp_binary /home/alice/git/10.3/strings/ctype-bin.c:124
      		 
          #3 0x55ead50bce36 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8364
      		 
          #4 0x55ead50bd0de in Field_blob::cmp_max(unsigned char const*, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8377
      		 
          #5 0x55ead50e0c2b in Field_blob::cmp(unsigned char const*, unsigned char const*) /home/alice/git/10.3/sql/field.h:3651
      		 
          #6 0x55ead5340596 in group_concat_key_cmp_with_order /home/alice/git/10.3/sql/item_sum.cc:3525
      		 
          #7 0x55ead61cf79f in tree_insert /home/alice/git/10.3/mysys/tree.c:250
      		 
          #8 0x55ead5344292 in Item_func_group_concat::add() /home/alice/git/10.3/sql/item_sum.cc:3880
      		 
          #9 0x55ead53480c5 in Aggregator_simple::add() /home/alice/git/10.3/sql/item_sum.h:706
      		 
          #10 0x55ead4b92fd7 in Item_sum::aggregator_add() (/home/alice/git/10.3/sql/mysqld+0x10ecfd7)
      		 
          #11 0x55ead4b77c97 in update_sum_func /home/alice/git/10.3/sql/sql_select.cc:24207
      		 
          #12 0x55ead4b60650 in end_send_group(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:20664
      		 
          #13 0x55ead4e0c908 in JOIN_CACHE::generate_full_extensions(unsigned char*) /home/alice/git/10.3/sql/sql_join_cache.cc:2400
      		 
          #14 0x55ead4e0c223 in JOIN_CACHE::join_matching_records(bool) /home/alice/git/10.3/sql/sql_join_cache.cc:2292
      		 
          #15 0x55ead4e0abb6 in JOIN_CACHE::join_records(bool) /home/alice/git/10.3/sql/sql_join_cache.cc:2088
      		 
          #16 0x55ead4b55295 in sub_select_cache(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19051
      		 
          #17 0x55ead4b55772 in sub_select(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19222
      		 
          #18 0x55ead4b543e6 in do_select /home/alice/git/10.3/sql/sql_select.cc:18813
      		 
          #19 0x55ead4af3c0c in JOIN::exec_inner() /home/alice/git/10.3/sql/sql_select.cc:4021
      		 
          #20 0x55ead4af1951 in JOIN::exec() /home/alice/git/10.3/sql/sql_select.cc:3815
      		 
          #21 0x55ead4af4d23 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.3/sql/sql_select.cc:4220
      		 
          #22 0x55ead4ad0568 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.3/sql/sql_select.cc:382
      		 
          #23 0x55ead4a560b9 in execute_sqlcom_select /home/alice/git/10.3/sql/sql_parse.cc:6542
      		 
          #24 0x55ead4a448cc in mysql_execute_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:3765
      		 
          #25 0x55ead4a5e9c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:8073
      		 
          #26 0x55ead4a396ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:1847
      		 
          #27 0x55ead4a36846 in do_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:1392
      		 
          #28 0x55ead4d85ca1 in do_handle_one_connection(CONNECT*) /home/alice/git/10.3/sql/sql_connect.cc:1402
      		 
          #29 0x55ead4d8567e in handle_one_connection /home/alice/git/10.3/sql/sql_connect.cc:1308
      		 
          #30 0x55ead609d1d4 in pfs_spawn_thread /home/alice/git/10.3/storage/perfschema/pfs.cc:1862
      		 
          #31 0x7f2a7e7886b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
      		 
          #32 0x7f2a7dc1d41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

      without ASAN it returns: ZLIB: Input data corrupted

      CURRENT_TEST: main.1_my
      		 
      mysqltest: At line 20: query 'SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1), 
      IF(t5.d1, t5.t1, t5.d1), t5.v1, 
      IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1
      		 
      ORDER BY 2,6,1,7,4,3,5 SEPARATOR ';') 
      FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk))' failed: 1259: ZLIB: Input data corrupted

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-14391 InnoDB crash, memory corruption

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16698 ASAN: heap-use-after-free in field_longstr::uncompress

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-20619 AddressSanitizer: heap-use-after-free in my_strnncollsp_simple or my_strnncoll_binary upon SELECT with partitions and virtual columns

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-31845 UBSAN: runtime error: null pointer passed as argument 2, which is declared to never be null in my_strnncoll_binary on SELECT

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              serg Sergei Golubchik
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.