Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25778

Overrun buffer in to_string_native()

    XMLWordPrintable

Details

    Description

      CREATE TABLE t1 (a DECIMAL(15,11) ZEROFILL);
      INSERT INTO t1 (a) VALUES (0.1),(0.2);
      SELECT ENCRYPT(a) AS f, COUNT(*) FROM t1 GROUP BY f;
       
      # Cleanup
      DROP TABLE t1;
      

      'SELECT ENCRYPT(a) AS f, COUNT(*) FROM t1 GROUP BY f' failed: <Unknown> (5): Out of memory (Needed 24 bytes)
      

      10.6 71e1ddda debug

      Error: Reallocating overrun buffer 0x60e00002c570 at mysys/safemalloc.c:352, mysys/safemalloc.c:185, mysys/my_malloc.c:151, sql/sql_string.cc:98, sql/sql_string.h:703, sql/sql_string.h:669, sql/item_strfunc.cc:2281, sql/item.cc:6663
      Allocated at mysys/my_malloc.c:90, sql/sql_string.cc:104, sql/sql_string.h:703, sql/sql_string.cc:229, sql/sql_string.h:879, sql/item_strfunc.cc:2290, sql/item.cc:6663, sql/sql_type.cc:4324
      Error: Freeing overrun buffer 0x60e00002c570 at mysys/safemalloc.c:352, mysys/safemalloc.c:200, mysys/my_malloc.c:212, sql/sql_string.h:228, sql/sql_string.h:459, sql/sql_string.h:467, sql/sql_string.h:819, sql/item_strfunc.cc:2289
      Allocated at mysys/my_malloc.c:90, sql/sql_string.cc:104, sql/sql_string.h:703, sql/sql_string.cc:229, sql/sql_string.h:879, sql/item_strfunc.cc:2290, sql/item.cc:6663, sql/sql_type.cc:4324
      

      10.6 71e1ddda valgrind

      ==1788135== Invalid write of size 1
      ==1788135==    at 0x17C4DFB: decimal2string (decimal.c:395)
      ==1788135==    by 0xF7063B: my_decimal::to_string_native(String*, unsigned int, unsigned int, char, unsigned int) const (my_decimal.cc:120)
      ==1788135==    by 0x9078FE: my_decimal::to_string(String*, unsigned int, unsigned int, char) const (my_decimal.h:218)
      ==1788135==    by 0xBE0280: Field_new_decimal::val_str(String*, String*) (field.h:2403)
      ==1788135==    by 0xDFE677: Item_field::val_str(String*) (item.cc:3277)
      ==1788135==    by 0xEAC112: Item_func_encrypt::val_str(String*) (item_strfunc.cc:2259)
      ==1788135==    by 0xE0907C: Item::save_str_in_field(Field*, bool) (item.cc:6663)
      ==1788135==    by 0xCAA6C9: Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const (sql_type.cc:4323)
      ==1788135==    by 0xE093CC: Item::save_in_field(Field*, bool) (item.cc:6711)
      ==1788135==    by 0x9A43FD: Item_result_field::save_in_result_field(bool) (item.h:3406)
      ==1788135==    by 0xAD627C: copy_funcs(Item**, THD const*) (sql_select.cc:26168)
      ==1788135==    by 0xACCDA0: end_update(JOIN*, st_join_table*, bool) (sql_select.cc:22562)
      ==1788135==    by 0xADFC6F: AGGR_OP::put_record(bool) (sql_select.cc:29317)
      ==1788135==    by 0xAE7B04: AGGR_OP::put_record() (sql_select.h:1056)
      ==1788135==    by 0xAC841B: sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) (sql_select.cc:20710)
      ==1788135==    by 0xAC9101: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:21217)
      ==1788135==  Address 0xc3ec408 is 0 bytes after a block of size 40 alloc'd
      ==1788135==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==1788135==    by 0x1754683: my_malloc (my_malloc.c:90)
      ==1788135==    by 0xB2D224: Binary_string::realloc_raw(unsigned long) (sql_string.cc:104)
      ==1788135==    by 0x8F55C0: Binary_string::realloc(unsigned long) (sql_string.h:703)
      ==1788135==    by 0xB2D911: Binary_string::copy() (sql_string.cc:229)
      ==1788135==    by 0xCCF261: String::copy() (sql_string.h:878)
      ==1788135==    by 0xEAC395: Item_func_encrypt::val_str(String*) (item_strfunc.cc:2289)
      ==1788135==    by 0xE0907C: Item::save_str_in_field(Field*, bool) (item.cc:6663)
      ==1788135==    by 0xCAA6C9: Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const (sql_type.cc:4323)
      ==1788135==    by 0xE093CC: Item::save_in_field(Field*, bool) (item.cc:6711)
      ==1788135==    by 0x90AF4B: Item::save_org_in_field(Field*, int (*)(Field*, Field*)) (item.h:1198)
      ==1788135==    by 0xACCC26: end_update(JOIN*, st_join_table*, bool) (sql_select.cc:22540)
      ==1788135==    by 0xADFC6F: AGGR_OP::put_record(bool) (sql_select.cc:29317)
      ==1788135==    by 0xAE7B04: AGGR_OP::put_record() (sql_select.h:1056)
      ==1788135==    by 0xAC841B: sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) (sql_select.cc:20710)
      ==1788135==    by 0xAC9101: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:21217)
      ==1788135== Conditional jump or move depends on uninitialised value(s)
      ==1788135==    at 0x483EF58: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==1788135==    by 0x48794BE: ??? (in /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0)
      ==1788135==    by 0x48796E0: crypt_r (in /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0)
      ==1788135==    by 0xEAC329: Item_func_encrypt::val_str(String*) (item_strfunc.cc:2281)
      ==1788135==    by 0xE0907C: Item::save_str_in_field(Field*, bool) (item.cc:6663)
      ==1788135==    by 0xCAA6C9: Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const (sql_type.cc:4323)
      ==1788135==    by 0xE093CC: Item::save_in_field(Field*, bool) (item.cc:6711)
      ==1788135==    by 0x9A43FD: Item_result_field::save_in_result_field(bool) (item.h:3406)
      ==1788135==    by 0xAD627C: copy_funcs(Item**, THD const*) (sql_select.cc:26168)
      ==1788135==    by 0xACCDA0: end_update(JOIN*, st_join_table*, bool) (sql_select.cc:22562)
      ==1788135==    by 0xADFC6F: AGGR_OP::put_record(bool) (sql_select.cc:29317)
      ==1788135==    by 0xAE7B04: AGGR_OP::put_record() (sql_select.h:1056)
      ==1788135==    by 0xAC841B: sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) (sql_select.cc:20710)
      ==1788135==    by 0xAC9101: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:21217)
      ==1788135==    by 0xAC89B8: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:20994)
      ==1788135==    by 0xAC7DD9: do_select(JOIN*, Procedure*) (sql_select.cc:20541)
      

      10.6 71e1ddda non-debug

      double free or corruption (out)
      210526 13:53:09 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.6.2-MariaDB-log
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=1
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63732 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x7f1c24000c58
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f1c4036fd98 thread_stack 0x49000
      

      (Non-debug server hangs after this).

      The failure started happening in 10.6 after this commit:

      commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75
      Author: Monty
      Date:   Wed Sep 16 11:23:50 2020 +0300
       
          Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()
      

      Attachments

        Issue Links

          Activity

            People

              monty Michael Widenius
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.