Details
-
Bug
-
Status: Stalled (View Workflow)
-
Critical
-
Resolution: Unresolved
-
11.2
-
None
Description
SET @arr1='[1,2,3]'; |
SET character_set_database=ucs2; |
SET CHARACTER SET utf8; |
SET @obj1='{ "a": 1,"b": 2,"c": 3}'; |
SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1); |
Leads to
|
11.2.0 acb02f646ebbd8b100c30621b92dcc0e2e4db7b3 (Optimized, UBASAN) |
==175334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005015 at pc 0x5636bd0eb9f5 bp 0x14a29583ce20 sp 0x14a29583c5c8
|
WRITE of size 7 at 0x602000005015 thread T35
|
#0 0x5636bd0eb9f4 in strncpy (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b0b9f4)
|
#1 0x5636be5ba782 in filter_keys /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5275
|
#2 0x5636be5ba782 in Item_func_json_object_filter_keys::val_str(String*) /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5328
|
#3 0x5636be848f3d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_type.cc:7446
|
#4 0x5636bd332461 in Protocol::send_result_set_row(List<Item>*) /test/mtest/MDEV-5816/11.1_opt_san/sql/protocol.cc:1332
|
#5 0x5636bd677c09 in select_send::send_data(List<Item>&) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.cc:3125
|
#6 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5756
|
#7 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5746
|
#8 0x5636bddac19c in JOIN::exec_inner() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4799
|
#9 0x5636bddb0849 in JOIN::exec() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4710
|
#10 0x5636bdd9dc6c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:5239
|
#11 0x5636bdda1873 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:627
|
#12 0x5636bd97db3f in execute_sqlcom_select /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:6030
|
#13 0x5636bd9cc217 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:3944
|
#14 0x5636bd94d2f0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:7769
|
#15 0x5636bd9a29a8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1892
|
#16 0x5636bd9ae14d in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1405
|
#17 0x5636be2de6bd in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1416
|
#18 0x5636be2e0d2c in handle_one_connection /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1318
|
#19 0x14a2bb280608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#20 0x14a2ba4f5132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
0x602000005015 is located 0 bytes to the right of 5-byte region [0x602000005010,0x602000005015)
|
allocated by thread T35 here:
|
#0 0x5636bd13e9a8 in __interceptor_malloc (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b5e9a8)
|
#1 0x5636be5ba721 in filter_keys /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5274
|
#2 0x5636be5ba721 in Item_func_json_object_filter_keys::val_str(String*) /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5328
|
#3 0x5636be848f3d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_type.cc:7446
|
#4 0x5636bd332461 in Protocol::send_result_set_row(List<Item>*) /test/mtest/MDEV-5816/11.1_opt_san/sql/protocol.cc:1332
|
#5 0x5636bd677c09 in select_send::send_data(List<Item>&) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.cc:3125
|
#6 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5756
|
#7 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5746
|
#8 0x5636bddac19c in JOIN::exec_inner() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4799
|
#9 0x5636bddb0849 in JOIN::exec() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4710
|
#10 0x5636bdd9dc6c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:5239
|
#11 0x5636bdda1873 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:627
|
#12 0x5636bd97db3f in execute_sqlcom_select /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:6030
|
#13 0x5636bd9cc217 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:3944
|
#14 0x5636bd94d2f0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:7769
|
#15 0x5636bd9a29a8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1892
|
#16 0x5636bd9ae14d in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1405
|
#17 0x5636be2de6bd in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1416
|
#18 0x5636be2e0d2c in handle_one_connection /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1318
|
#19 0x14a2bb280608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T35 created by T0 here:
|
#0 0x5636bd06b9e5 in pthread_create (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7a8b9e5)
|
#1 0x5636bd18f6a3 in create_thread_to_handle_connection(CONNECT*) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6144
|
#2 0x5636bd1a040f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6268
|
#3 0x5636bd1a1427 in handle_connections_sockets() /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6392
|
#4 0x5636bd1a43a4 in mysqld_main(int, char**) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6039
|
#5 0x14a2ba3fa082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-buffer-overflow (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b0b9f4) in strncpy
|
Attachments
Issue Links
- relates to
-
MDEV-26182 Create a function to check for JSON intersection
-
- Closed
-