Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29359

Server crashed with heap-use-after-free in in Field::is_null(long long) const

    XMLWordPrintable

Details

    Description

      output:

      SUMMARY: AddressSanitizer: heap-use-after-free /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/field.h:1389 in Field::is_null(long long) const

      poc:

      CREATE TABLE v1340 ( v1341 FLOAT NOT NULL ) ;
      		 
       INSERT INTO v1340 ( v1341 ) VALUES ( -1 ) ;
      		 
       UPDATE v1340 SET v1341 = 70 WHERE v1341 = 51 ;
      		 
       INSERT INTO v1340 ( v1341 ) VALUES ( 0 ) , ( 84 ) ;
      		 
       WITH v1343 AS ( SELECT v1341 FROM ( SELECT v1341 FROM v1340 GROUP BY v1341 ) AS v1342 ) SELECT v1341 FROM v1340 WHERE v1341 BETWEEN FALSE AND ( ( ( v1341 OR NOT v1341 ) BETWEEN ( ( ( NOT ( SELECT FALSE FROM v1340 WHERE ( v1341 , 'x' ) NOT IN ( SELECT ( 'x' = ( v1341 IN ( SELECT v1341 FROM v1340 WHERE v1341 = CASE WHEN v1341 * ( SELECT 90 FROM v1340 AS v1344 WHERE v1341 BETWEEN 31066339.000000 AND 76 WINDOW v1348 AS ( PARTITION BY v1341 ORDER BY ( SELECT DISTINCT 29 FROM v1340 AS v1345 , v1340 AS v1346 , v1340 AS v1347 JOIN v1340 ) DESC RANGE BETWEEN 64903499.000000 FOLLOWING AND 83565757.000000 FOLLOWING ) ) ^ v1341 THEN 'x' ELSE v1341 END / 83 WINDOW v1354 AS ( PARTITION BY v1341 ORDER BY ( SELECT DISTINCT 127 FROM ( SELECT DISTINCT ( ( NOT ( 38309169.000000 AND v1341 = -1 ) ) = 31 AND v1341 = -128 ) % 90 , ( v1341 = 6 OR v1341 > 'x' ) FROM v1340 WHERE EXISTS ( SELECT ( v1341 NOT IN ( v1341 ) AND v1341 NOT IN ( -128 ^ v1341 ) ) , v1341 + v1341 FROM v1340 GROUP BY v1341 HAVING ( v1341 != 79 AND v1341 = v1341 AND ( NOT ( 'x' = 'x' AND FALSE = 45 ) ) AND v1341 LIKE 'x' ) WINDOW v1355 AS ( ORDER BY v1341 - v1341 , ( 0 < v1341 AND v1341 = 0 ) ) ) ) AS v1350 NATURAL JOIN v1340 AS v1351 , v1340 AS v1352 , v1340 AS v1353 JOIN v1340 ) DESC RANGE BETWEEN 90766484.000000 FOLLOWING AND 77472811.000000 FOLLOWING ) ) ) ) , 'x' FROM v1340 ) ) * -1 + 25 ^ 50 - v1341 ) ) ) AND 0 ) ) ;

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-30052 Crash with a query containing nested WINDOW clauses

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28515 Assertion `field->table == table' failed in Create_tmp_table::finalize and create_tmp_table and SIGSEGV in hp_rec_hashnr

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              psergei Sergei Petrunia
              nobody Shihao Wen
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.