Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18925

ASAN heap-use-after-free in Item_exists_subselect::is_top_level_item

    XMLWordPrintable

Details

    Description

      10.2 69abd43703fcf68c4cf1

      ==24741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000db2b1 at pc 0x55da1d1d8b7f bp 0x7fe1516c44b0 sp 0x7fe1516c44a0
      READ of size 1 at 0x6290000db2b1 thread T33
          #0 0x55da1d1d8b7e in Item_exists_subselect::is_top_level_item() /10.2/src/sql/item_subselect.h:410
          #1 0x55da1d1d8b7e in Item_in_optimizer::is_top_level_item() /10.2/src/sql/item_cmpfunc.cc:1218
          #2 0x55da1d1d8bc0 in Item_in_optimizer::eval_not_null_tables(void*) /10.2/src/sql/item_cmpfunc.cc:1237
          #3 0x55da1cafd2f6 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /10.2/src/sql/item.h:4263
          #4 0x55da1d1c6df2 in Item_cond::walk(bool (Item::*)(void*), bool, void*) /10.2/src/sql/item_cmpfunc.cc:4751
          #5 0x55da1cbb243b in st_select_lex::update_used_tables() /10.2/src/sql/sql_lex.cc:4245
          #6 0x55da1cbb678e in st_select_lex::optimize_unflattened_subqueries(bool) /10.2/src/sql/sql_lex.cc:3862
          #7 0x55da1cf6b9f6 in JOIN::optimize_constant_subqueries() /10.2/src/sql/opt_subselect.cc:5341
          #8 0x55da1cce6eca in JOIN::optimize_inner() /10.2/src/sql/sql_select.cc:1337
          #9 0x55da1ccf4f7b in JOIN::optimize() /10.2/src/sql/sql_select.cc:1115
          #10 0x55da1ccfdc62 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.2/src/sql/sql_select.cc:3804
          #11 0x55da1ccfe5c7 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.2/src/sql/sql_select.cc:376
          #12 0x55da1cbbbf6b in execute_sqlcom_select /10.2/src/sql/sql_parse.cc:6525
          #13 0x55da1cbd7a18 in mysql_execute_command(THD*) /10.2/src/sql/sql_parse.cc:3537
          #14 0x55da1cbf04ac in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/src/sql/sql_parse.cc:8059
          #15 0x55da1cbf7292 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/src/sql/sql_parse.cc:1829
          #16 0x55da1cbfe428 in do_command(THD*) /10.2/src/sql/sql_parse.cc:1379
          #17 0x55da1ceb01a6 in do_handle_one_connection(CONNECT*) /10.2/src/sql/sql_connect.cc:1335
          #18 0x55da1ceb069e in handle_one_connection /10.2/src/sql/sql_connect.cc:1241
          #19 0x7fe1828176b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
          #20 0x7fe181ec241c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
      

      it depends on the length of the query

      SELECT alias1.`col_varchar_key` AS cfield1 FROM ( `view_A` AS alias1, `B` AS alias2 ) WHERE ( ( SELECT MIN( SQ1_alias1.`pk` ) AS SQ1_ifield1 FROM ( `D` AS SQ1_alias1 INNER JOIN ( `CC` AS SQ1_alias2 INNER JOIN `BB` AS SQ1_alias3 ON (SQ1_alias3.`col_varchar_key` = SQ1_alias2.`col_varchar_key` ) ) ON (SQ1_alias3.`col_varchar_key` = SQ1_alias2.`col_varchar_nokey` ) ) WHERE EXISTS ( SELECT SQL_SMALL_RESULT C_SQ1_alias1.`col_int_nokey` AS C_SQ1_ifield1 FROM `C` AS C_SQ1_alias1 WHERE C_SQ1_alias1.`col_varchar_key` > SQ1_alias3.`col_varchar_nokey` ) ) IS NULL ) AND alias1.`pk` IS NULL GROUP BY cfield1  /* QNO 41 CON_ID 17 */;
      

      Attachments

        1. dt.7z
          672 kB
          Alice Sherepa

        Issue Links

          Activity

            People

              sanja Oleksandr Byelkin
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.