Hi, I found a potential null pointer dereference bug in the project source code, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the red arrows represent the control flow,the file path can be seen in the blue framed section.
Although the code shown is for version 10.3 but is still exist in current version
would you can help to check if this bug is true?thank you for your effort and patience!
mysql_store_result seems to say NULL is returned for errors (which is handled correctly, or 0 results like INSERT/ UPDATE). spider_db_mbase::exec_query where print_warnings seems to take an update, so looks valid.
Daniel Black
added a comment - mysql_store_result seems to say NULL is returned for errors (which is handled correctly, or 0 results like INSERT/ UPDATE). spider_db_mbase::exec_query where print_warnings seems to take an update, so looks valid.
I don't understand your mean.as you say,"mysql_store_result seems to say NULL is returned for errors".by looking at the source code of the mysql_store_result function, it can be seen that not all return null site will set errno to a non-zero value.So it is possible that the res ptr in the figure is null while errno is 0, so that the function print_warning does not return at line 2205,and dereference of null pointer res will occur at line 2209 in the graph.
jaskldj
added a comment - - edited I don't understand your mean.as you say,"mysql_store_result seems to say NULL is returned for errors".by looking at the source code of the mysql_store_result function, it can be seen that not all return null site will set errno to a non-zero value.So it is possible that the res ptr in the figure is null while errno is 0, so that the function print_warning does not return at line 2205,and dereference of null pointer res will occur at line 2209 in the graph.
According to the implementation, the above-mentioned null pointer dereference seems to be logically possible while it wouldn't be easy to find a test case that actually causes the null pointer dereference.
Nayuta Yanagisawa (Inactive)
added a comment - ash1852 Thank you for the report.
According to the implementation, the above-mentioned null pointer dereference seems to be logically possible while it wouldn't be easy to find a test case that actually causes the null pointer dereference.
I've taken a look at nayuta's patch be0a46b3d52b58956fd0d47d040b9f4514406954 and would like to push it. holyfoot I assume you are still ok for it to be pushed?
hold on. I'm getting test failure for 10.4, patch applied to 603836e281a.
CURRENT_TEST: spider/bugfix.mdev_29644
mysqltest: At line 36: query 'INSERT INTO tbl_a VALUES ("this will be truncated")' failed: 1406: Data too long for column 'a' at row 1
Yuchen Pei
added a comment - - edited I've taken a look at nayuta's patch be0a46b3d52b58956fd0d47d040b9f4514406954 and would like to push it. holyfoot I assume you are still ok for it to be pushed?
hold on. I'm getting test failure for 10.4, patch applied to 603836e281a.
CURRENT_TEST: spider/bugfix.mdev_29644
mysqltest: At line 36: query 'INSERT INTO tbl_a VALUES ("this will be truncated")' failed: 1406: Data too long for column 'a' at row 1
Yuchen Pei
added a comment - I made some minor changes to the test case so that it passes 10.4. Can you take a look holyfoot ? Thank you. https://github.com/MariaDB/server/commit/d346bd3ab03
Thanks for the comments and review, holyfoot. The comments were incorporated and patch pushed to 10.3.
Some merge conflicts needed to be handled, and below are patches for all versions:
10.3-4: 9b32e4b1923
10.5-8: b98375f9df0
10.9-11.0: 5075f4e0dae
Yuchen Pei
added a comment - - edited Thanks for the comments and review, holyfoot . The comments were incorporated and patch pushed to 10.3.
Some merge conflicts needed to be handled, and below are patches for all versions:
10.3-4: 9b32e4b1923
10.5-8: b98375f9df0
10.9-11.0: 5075f4e0dae
People
Yuchen Pei
jaskldj
Votes:
0Vote for this issue
Watchers:
8Start watching this issue
Dates
Created:
Updated:
Resolved:
Git Integration
Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.
{"report":{"fcp":2220,"ttfb":697.4000000953674,"pageVisibility":"visible","entityId":114984,"key":"jira.project.issue.view-issue","isInitial":true,"threshold":1000,"elementTimings":{},"userDeviceMemory":8,"userDeviceProcessors":64,"apdex":0.5,"journeyId":"284377e2-f73e-4014-931e-613edb820e66","navigationType":0,"readyForUser":2335.800000190735,"redirectCount":0,"resourceLoadedEnd":2554.6000003814697,"resourceLoadedStart":722.8000001907349,"resourceTiming":[{"duration":874.1999998092651,"initiatorType":"link","name":"https://jira.mariadb.org/s/2c21342762a6a02add1c328bed317ffd-CDN/lu2cib/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/css/_super/batch.css","startTime":722.8000001907349,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":722.8000001907349,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1597,"responseStart":0,"secureConnectionStart":0},{"duration":874.0999999046326,"initiatorType":"link","name":"https://jira.mariadb.org/s/7ebd35e77e471bc30ff0eba799ebc151-CDN/lu2cib/820016/12ta74/494e4c556ecbb29f90a3d3b4f09cb99c/_/download/contextbatch/css/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&slack-enabled=true&whisper-enabled=true","startTime":723.1000003814697,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":723.1000003814697,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1597.2000002861023,"responseStart":0,"secureConnectionStart":0},{"duration":882.9000000953674,"initiatorType":"script","name":"https://jira.mariadb.org/s/0917945aaa57108d00c5076fea35e069-CDN/lu2cib/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/js/_super/batch.js?locale=en","startTime":723.4000000953674,"connectEnd":723.4000000953674,"connectStart":723.4000000953674,"domainLookupEnd":723.4000000953674,"domainLookupStart":723.4000000953674,"fetchStart":723.4000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":723.4000000953674,"responseEnd":1606.3000001907349,"responseStart":1606.3000001907349,"secureConnectionStart":723.4000000953674},{"duration":1055.4000000953674,"initiatorType":"script","name":"https://jira.mariadb.org/s/2d8175ec2fa4c816e8023260bd8c1786-CDN/lu2cib/820016/12ta74/494e4c556ecbb29f90a3d3b4f09cb99c/_/download/contextbatch/js/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&locale=en&slack-enabled=true&whisper-enabled=true","startTime":723.5,"connectEnd":723.5,"connectStart":723.5,"domainLookupEnd":723.5,"domainLookupStart":723.5,"fetchStart":723.5,"redirectEnd":0,"redirectStart":0,"requestStart":723.5,"responseEnd":1778.9000000953674,"responseStart":1778.9000000953674,"secureConnectionStart":723.5},{"duration":1059,"initiatorType":"script","name":"https://jira.mariadb.org/s/a9324d6758d385eb45c462685ad88f1d-CDN/lu2cib/820016/12ta74/c92c0caa9a024ae85b0ebdbed7fb4bd7/_/download/contextbatch/js/atl.global,-_super/batch.js?locale=en","startTime":723.9000000953674,"connectEnd":723.9000000953674,"connectStart":723.9000000953674,"domainLookupEnd":723.9000000953674,"domainLookupStart":723.9000000953674,"fetchStart":723.9000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":723.9000000953674,"responseEnd":1782.9000000953674,"responseStart":1782.9000000953674,"secureConnectionStart":723.9000000953674},{"duration":1059.4000000953674,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-en/jira.webresources:calendar-en.js","startTime":724,"connectEnd":724,"connectStart":724,"domainLookupEnd":724,"domainLookupStart":724,"fetchStart":724,"redirectEnd":0,"redirectStart":0,"requestStart":724,"responseEnd":1783.4000000953674,"responseStart":1783.4000000953674,"secureConnectionStart":724},{"duration":1059.5,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-localisation-moment/jira.webresources:calendar-localisation-moment.js","startTime":724.2000002861023,"connectEnd":724.2000002861023,"connectStart":724.2000002861023,"domainLookupEnd":724.2000002861023,"domainLookupStart":724.2000002861023,"fetchStart":724.2000002861023,"redirectEnd":0,"redirectStart":0,"requestStart":724.2000002861023,"responseEnd":1783.7000002861023,"responseStart":1783.7000002861023,"secureConnectionStart":724.2000002861023},{"duration":1061.5999999046326,"initiatorType":"link","name":"https://jira.mariadb.org/s/b04b06a02d1959df322d9cded3aeecc1-CDN/lu2cib/820016/12ta74/a2ff6aa845ffc9a1d22fe23d9ee791fc/_/download/contextbatch/css/jira.global.look-and-feel,-_super/batch.css","startTime":724.4000000953674,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":724.4000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1786,"responseStart":0,"secureConnectionStart":0},{"duration":1059.8000001907349,"initiatorType":"script","name":"https://jira.mariadb.org/rest/api/1.0/shortcuts/820016/47140b6e0a9bc2e4913da06536125810/shortcuts.js?context=issuenavigation&context=issueaction","startTime":724.5,"connectEnd":724.5,"connectStart":724.5,"domainLookupEnd":724.5,"domainLookupStart":724.5,"fetchStart":724.5,"redirectEnd":0,"redirectStart":0,"requestStart":724.5,"responseEnd":1784.3000001907349,"responseStart":1784.3000001907349,"secureConnectionStart":724.5},{"duration":1061.5,"initiatorType":"link","name":"https://jira.mariadb.org/s/3ac36323ba5e4eb0af2aa7ac7211b4bb-CDN/lu2cib/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/css/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.css?jira.create.linked.issue=true","startTime":724.7000002861023,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":724.7000002861023,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1786.2000002861023,"responseStart":0,"secureConnectionStart":0},{"duration":1059.0999999046326,"initiatorType":"script","name":"https://jira.mariadb.org/s/5d5e8fe91fbc506585e83ea3b62ccc4b-CDN/lu2cib/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/js/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.js?jira.create.linked.issue=true&locale=en","startTime":725.8000001907349,"connectEnd":725.8000001907349,"connectStart":725.8000001907349,"domainLookupEnd":725.8000001907349,"domainLookupStart":725.8000001907349,"fetchStart":725.8000001907349,"redirectEnd":0,"redirectStart":0,"requestStart":725.8000001907349,"responseEnd":1784.9000000953674,"responseStart":1784.9000000953674,"secureConnectionStart":725.8000001907349},{"duration":1767.6000003814697,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-js/jira.webresources:bigpipe-js.js","startTime":727,"connectEnd":727,"connectStart":727,"domainLookupEnd":727,"domainLookupStart":727,"fetchStart":727,"redirectEnd":0,"redirectStart":0,"requestStart":727,"responseEnd":2494.6000003814697,"responseStart":2494.5,"secureConnectionStart":727},{"duration":1761.5999999046326,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-init/jira.webresources:bigpipe-init.js","startTime":733.4000000953674,"connectEnd":733.4000000953674,"connectStart":733.4000000953674,"domainLookupEnd":733.4000000953674,"domainLookupStart":733.4000000953674,"fetchStart":733.4000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":733.4000000953674,"responseEnd":2495,"responseStart":2495,"secureConnectionStart":733.4000000953674},{"duration":265.5,"initiatorType":"xmlhttprequest","name":"https://jira.mariadb.org/rest/webResources/1.0/resources","startTime":1781,"connectEnd":1781,"connectStart":1781,"domainLookupEnd":1781,"domainLookupStart":1781,"fetchStart":1781,"redirectEnd":0,"redirectStart":0,"requestStart":1781,"responseEnd":2046.5,"responseStart":2046.5,"secureConnectionStart":1781},{"duration":406.80000019073486,"initiatorType":"link","name":"https://jira.mariadb.org/s/d5715adaadd168a9002b108b2b039b50-CDN/lu2cib/820016/12ta74/be4b45e9cec53099498fa61c8b7acba4/_/download/contextbatch/css/jira.project.sidebar,-_super,-project.issue.navigator,-jira.general,-jira.browse.project,-jira.view.issue,-jira.global,-atl.general,-com.atlassian.jira.projects.sidebar.init/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&slack-enabled=true&whisper-enabled=true","startTime":2147.800000190735,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":2147.800000190735,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":2554.6000003814697,"responseStart":0,"secureConnectionStart":0},{"duration":346.5,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/e65b778d185daf5aee24936755b43da6/_/download/contextbatch/js/browser-metrics-plugin.contrib,-_super,-project.issue.navigator,-jira.view.issue,-atl.general/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&slack-enabled=true&whisper-enabled=true","startTime":2149.2000002861023,"connectEnd":2149.2000002861023,"connectStart":2149.2000002861023,"domainLookupEnd":2149.2000002861023,"domainLookupStart":2149.2000002861023,"fetchStart":2149.2000002861023,"redirectEnd":0,"redirectStart":0,"requestStart":2149.2000002861023,"responseEnd":2495.7000002861023,"responseStart":2495.7000002861023,"secureConnectionStart":2149.2000002861023},{"duration":366,"initiatorType":"script","name":"https://jira.mariadb.org/s/097ae97cb8fbec7d6ea4bbb1f26955b9-CDN/lu2cib/820016/12ta74/be4b45e9cec53099498fa61c8b7acba4/_/download/contextbatch/js/jira.project.sidebar,-_super,-project.issue.navigator,-jira.general,-jira.browse.project,-jira.view.issue,-jira.global,-atl.general,-com.atlassian.jira.projects.sidebar.init/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&locale=en&slack-enabled=true&whisper-enabled=true","startTime":2149.6000003814697,"connectEnd":2149.6000003814697,"connectStart":2149.6000003814697,"domainLookupEnd":2149.6000003814697,"domainLookupStart":2149.6000003814697,"fetchStart":2149.6000003814697,"redirectEnd":0,"redirectStart":0,"requestStart":2149.6000003814697,"responseEnd":2515.6000003814697,"responseStart":2515.6000003814697,"secureConnectionStart":2149.6000003814697},{"duration":362.59999990463257,"initiatorType":"script","name":"https://www.google-analytics.com/analytics.js","startTime":2210.9000000953674,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":2210.9000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":2573.5,"responseStart":0,"secureConnectionStart":0}],"fetchStart":0,"domainLookupStart":0,"domainLookupEnd":0,"connectStart":0,"connectEnd":0,"requestStart":270,"responseStart":698,"responseEnd":721,"domLoading":721,"domInteractive":2696,"domContentLoadedEventStart":2696,"domContentLoadedEventEnd":2753,"domComplete":3943,"loadEventStart":3943,"loadEventEnd":3954,"userAgent":"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)","marks":[{"name":"bigPipe.sidebar-id.start","time":2648.4000000953674},{"name":"bigPipe.sidebar-id.end","time":2649.300000190735},{"name":"bigPipe.activity-panel-pipe-id.start","time":2649.6000003814697},{"name":"bigPipe.activity-panel-pipe-id.end","time":2652.1000003814697},{"name":"activityTabFullyLoaded","time":2773.9000000953674}],"measures":[],"correlationId":"67c0cf77324a8c","effectiveType":"4g","downlink":10,"rtt":0,"serverDuration":108,"dbReadsTimeInMs":12,"dbConnsTimeInMs":21,"applicationHash":"9d11dbea5f4be3d4cc21f03a88dd11d8c8687422","experiments":[]}}
Bug
Major
mysql_store_result seems to say NULL is returned for errors (which is handled correctly, or 0 results like INSERT/ UPDATE). spider_db_mbase::exec_query where print_warnings seems to take an update, so looks valid.