[MDEV-18925] ASAN heap-use-after-free in Item_exists_subselect::is_top_level_item - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2, 10.3
Fix Version/s: 10.2.37, 10.3.28
Component/s: Data Manipulation - Subquery
Labels:
None

Description

10.2 69abd43703fcf68c4cf1
==24741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000db2b1 at pc 0x55da1d1d8b7f bp 0x7fe1516c44b0 sp 0x7fe1516c44a0
READ of size 1 at 0x6290000db2b1 thread T33
#0 0x55da1d1d8b7e in Item_exists_subselect::is_top_level_item() /10.2/src/sql/item_subselect.h:410
#1 0x55da1d1d8b7e in Item_in_optimizer::is_top_level_item() /10.2/src/sql/item_cmpfunc.cc:1218
#2 0x55da1d1d8bc0 in Item_in_optimizer::eval_not_null_tables(void*) /10.2/src/sql/item_cmpfunc.cc:1237
#3 0x55da1cafd2f6 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) /10.2/src/sql/item.h:4263
#4 0x55da1d1c6df2 in Item_cond::walk(bool (Item::)(void), bool, void*) /10.2/src/sql/item_cmpfunc.cc:4751
#5 0x55da1cbb243b in st_select_lex::update_used_tables() /10.2/src/sql/sql_lex.cc:4245
#6 0x55da1cbb678e in st_select_lex::optimize_unflattened_subqueries(bool) /10.2/src/sql/sql_lex.cc:3862
#7 0x55da1cf6b9f6 in JOIN::optimize_constant_subqueries() /10.2/src/sql/opt_subselect.cc:5341
#8 0x55da1cce6eca in JOIN::optimize_inner() /10.2/src/sql/sql_select.cc:1337
#9 0x55da1ccf4f7b in JOIN::optimize() /10.2/src/sql/sql_select.cc:1115
#10 0x55da1ccfdc62 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.2/src/sql/sql_select.cc:3804
#11 0x55da1ccfe5c7 in handle_select(THD, LEX, select_result*, unsigned long) /10.2/src/sql/sql_select.cc:376
#12 0x55da1cbbbf6b in execute_sqlcom_select /10.2/src/sql/sql_parse.cc:6525
#13 0x55da1cbd7a18 in mysql_execute_command(THD*) /10.2/src/sql/sql_parse.cc:3537
#14 0x55da1cbf04ac in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.2/src/sql/sql_parse.cc:8059
#15 0x55da1cbf7292 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.2/src/sql/sql_parse.cc:1829
#16 0x55da1cbfe428 in do_command(THD*) /10.2/src/sql/sql_parse.cc:1379
#17 0x55da1ceb01a6 in do_handle_one_connection(CONNECT*) /10.2/src/sql/sql_connect.cc:1335
#18 0x55da1ceb069e in handle_one_connection /10.2/src/sql/sql_connect.cc:1241
#19 0x7fe1828176b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#20 0x7fe181ec241c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

it depends on the length of the query

SELECT alias1.`col_varchar_key` AS cfield1 FROM ( `view_A` AS alias1, `B` AS alias2 ) WHERE ( ( SELECT MIN( SQ1_alias1.`pk` ) AS SQ1_ifield1 FROM ( `D` AS SQ1_alias1 INNER JOIN ( `CC` AS SQ1_alias2 INNER JOIN `BB` AS SQ1_alias3 ON (SQ1_alias3.`col_varchar_key` = SQ1_alias2.`col_varchar_key` ) ) ON (SQ1_alias3.`col_varchar_key` = SQ1_alias2.`col_varchar_nokey` ) ) WHERE EXISTS ( SELECT SQL_SMALL_RESULT C_SQ1_alias1.`col_int_nokey` AS C_SQ1_ifield1 FROM `C` AS C_SQ1_alias1 WHERE C_SQ1_alias1.`col_varchar_key` > SQ1_alias3.`col_varchar_nokey` ) ) IS NULL ) AND alias1.`pk` IS NULL GROUP BY cfield1  /* QNO 41 CON_ID 17 */;

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

dt.7z
672 kB
2019-03-14 14:14

Issue Links

relates to

MDEV-18339 ASAN heap-buffer-overflow in Item_exists_subselect::is_top_level_item

Closed

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-03-14 14:01

Updated:: 2021-01-29 10:39

Resolved:: 2021-01-29 10:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.