Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28646

Binary_string::alloc allocates redundant 1 byte for a terminator

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • 10.6, 10.7(EOL), 10.8(EOL)
    • 10.6
    • Server
    • None

    Description

      This was found during the investigation of MDEV-28315

      Here
      https://github.com/MariaDB/server/blob/10.8/sql/sql_string.h#L709
      inside `alloc` it increments the length for the size to allocate probably considering a NULL terminator.

      However inside `Binary_string::realloc_raw` it increments the length passed in:
      https://github.com/MariaDB/server/blob/10.8/sql/sql_string.cc#L92

      Therefore the 1st increment should not be necessary. That being said, when I tried omitting the `+1` part I saw a test failure.

      worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019
      		 
      main.pool_of_threads                     [ fail ]
      		 
              Test ended at 2022-05-22 14:00:32
      		 
       
      		 
      CURRENT_TEST: main.pool_of_threads
      		 
      mysqltest: In included file "./include/common-tests.inc":
      		 
      included from /home/norakagi/projects/mariadb-dev/server/MDEV-28315/mysql-test/main/pool_of_threads.test at line 12:
      		 
      At line 13: query 'drop table if exists t1,t2,t3,t4' failed: <Unknown> (5): Out of memory (Needed 24 bytes)
      		 
       
      		 
      The result from queries just before the failure was:
      		 
      SET optimizer_switch='outer_join_with_cache=off';
      		 
      drop table if exists t1,t2,t3,t4;
      		 
       
      		 
       - saving '/home/norakagi/projects/mariadb-dev/server/MDEV-28315/bld/mysql-test/var/log/main.pool_of_threads/' to '/home/norakagi/projects/mariadb-dev/server/MDEV-28315/bld/mysql-test/var/log/main.pool_of_threads/'
      		 
      --------------------------------------------------------------------------
      		 
      The servers were restarted 0 times
      		 
      Spent 0.000 of 2 seconds executing testcases
      		 
       
      		 
      Failure: Failed 1/1 tests, 0.00% were successful.

      So there has to be an issue related this part. For now, I left this part as it is because there seems to be no prominent error observed and adding one extra byte should no harm.

      I am cutting this ticket for future research.

      The change was introduced in this commit

      commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75
      Author: Monty
      Date: Wed Sep 16 11:23:50 2020 +0300

      Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28315 ASAN stack-buffer-overflow in String::copy_aligned

          • Major - Major loss of function.
          • Closed

          Activity

            People

              monty Michael Widenius
              redtree1112 Norio Akagi
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.