[MDEV-25994] Crash with union of my_decimal type in ORDER BY clause - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3, 10.9.1
Component/s: Optimizer
Labels:
None

Description

Steps to reproduce:

CREATE TABLE v0 ( v1 INTEGER ) ;

INSERT INTO v0 ( v1 ) VALUES ( 8 ) ;

UPDATE v0 SET v1 = 1 ORDER BY ( SELECT 1.1 UNION SELECT -1 );

sigaction.c:0(__restore_rt)[0x7f5b729fc870]

sql/my_decimal.h:132(my_decimal::operator=(my_decimal const&))[0x55e7157e1e30]

sql/my_decimal.h:354(my_decimal2decimal(my_decimal const*, my_decimal*))[0x55e7157e2011]

sql/my_decimal.cc:207(my_decimal::to_binary(unsigned char*, int, unsigned short, unsigned int) const)[0x55e715a84a04]

sql/filesort.cc:1321(Type_handler_decimal_result::make_sort_key_part(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const)[0x55e7158e8810]

sql/filesort.cc:3030(make_sortkey(Sort_param*, unsigned char*))[0x55e7158ecfe6]

sql/filesort.cc:1352(make_sortkey(Sort_param*, unsigned char*, unsigned char*, bool))[0x55e7158e8933]

sql/filesort.cc:969(find_all_keys(THD*, Sort_param*, SQL_SELECT*, SORT_INFO*, st_io_cache*, st_io_cache*, Bounded_queue<unsigned char, unsigned char>*, unsigned long long*))[0x55e7158e7592]

sql/filesort.cc:357(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x55e7158e53fb]

sql/sql_update.cc:796(mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*))[0x55e7156b1588]

sql/sql_parse.cc:4399(mysql_execute_command(THD*))[0x55e71557ebb4]

sql/sql_parse.cc:8016(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55e71558ad79]

sql/sql_parse.cc:1899(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55e7155773a8]

sql/sql_parse.cc:1406(do_command(THD*, bool))[0x55e715575d6b]

sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55e71572ca46]

sql/sql_connect.cc:1314(handle_one_connection)[0x55e71572c7b1]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55e715c4180a]

pthread_create.c:0(start_thread)[0x7f5b729f2259]

:0(__GI___clone)[0x7f5b7259d5e3]

Attachments

Issue Links

is duplicated by

MDEV-26280 MariaDB server crash at my_decimal::operator=

Closed

MDEV-26404 A SEGV insql/filesort.cc

Closed

MDEV-27080 Malicious data type overflow in joint query leads to service coredump

Closed

relates to

MDEV-29019 Assertion `(length % 4) == 0' failed in my_lengthsp_utf32 on SELECT

Closed

MDEV-32324 Server crashes inside filesort at my_decimal::to_binary

Closed

MDEV-32718 Segmentation fault at /mariadb-11.3.0/sql/my_decimal.h:132

Confirmed

(1 relates to)

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Vicențiu Ciorbaru

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2021-06-23 07:33

Updated:: 2024-04-04 11:55

Resolved:: 2022-04-22 12:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.