Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31566

Fix buffer overrun in dynstr_append_json_quote

Details

    Description

      The server often crashes.
      Each time the top error frame is RtlFreeHeap(), with different stack list.
      The following are error stacks of version 10.4.30
      Yet other softwares in the same server are stable.

      1: exception 0xc0000005

      		 
      ntdll.dll!RtlFreeHeap()
      		 
      ucrtbase.DLL!_free_base()
      		 
      mysqld.exe!dict_mem_table_free()[dict0mem.cc:248]
      		 
      mysqld.exe!ibuf_rec_get_volume_func()[ibuf0ibuf.cc:1638]
      		 
      mysqld.exe!ibuf_get_merge_page_nos_func()[ibuf0ibuf.cc:2306]
      		 
      mysqld.exe!ibuf_merge_pages()[ibuf0ibuf.cc:2434]
      		 
      mysqld.exe!ibuf_merge_in_background()[ibuf0ibuf.cc:2630]
      		 
      mysqld.exe!srv_master_do_active_tasks()[srv0srv.cc:2115]
      		 
      mysqld.exe!srv_master_thread()[srv0srv.cc:2349]
      		 
      kernel32.dll!BaseThreadInitThunk()
      		 
      ntdll.dll!RtlUserThreadStart()

      2: exception 0xc0000005

      		 
      ntdll.dll!RtlFreeHeap()
      		 
      ucrtbase.DLL!_free_base()
      		 
      mysqld.exe!Item_func_dyncol_json::val_str()[item_strfunc.cc:4802]
      		 
      mysqld.exe!Item::save_str_in_field()[item.cc:6676]
      		 
      mysqld.exe!Item::save_in_field()[item.cc:6724]
      		 
      mysqld.exe!fill_record()[sql_base.cc:8932]
      		 
      mysqld.exe!select_unit::send_data()[sql_union.cc:130]
      		 
      mysqld.exe!end_send()[sql_select.cc:22057]
      		 
      mysqld.exe!evaluate_join_record()[sql_select.cc:21090]
      		 
      mysqld.exe!sub_select()[sql_select.cc:20901]
      		 
      mysqld.exe!do_select()[sql_select.cc:20386]
      		 
      mysqld.exe!JOIN::exec_inner()[sql_select.cc:4590]
      		 
      mysqld.exe!JOIN::exec()[sql_select.cc:4373]
      		 
      mysqld.exe!mysql_select()[sql_select.cc:4813]
      		 
      mysqld.exe!mysql_derived_fill()[sql_derived.cc:1258]
      		 
      mysqld.exe!mysql_handle_single_derived()[sql_derived.cc:200]
      		 
      mysqld.exe!st_join_table::preread_init()[sql_select.cc:13838]
      		 
      mysqld.exe!sub_select()[sql_select.cc:20826]
      		 
      mysqld.exe!do_select()[sql_select.cc:20386]
      		 
      mysqld.exe!JOIN::exec_inner()[sql_select.cc:4590]
      		 
      mysqld.exe!JOIN::exec()[sql_select.cc:4373]
      		 
      mysqld.exe!mysql_select()[sql_select.cc:4813]
      		 
      mysqld.exe!handle_select()[sql_select.cc:442]
      		 
      mysqld.exe!execute_sqlcom_select()[sql_parse.cc:6463]
      		 
      mysqld.exe!mysql_execute_command()[sql_parse.cc:3966]
      		 
      mysqld.exe!mysql_parse()[sql_parse.cc:8002]
      		 
      mysqld.exe!dispatch_command()[sql_parse.cc:1860]
      		 
      mysqld.exe!do_command()[sql_parse.cc:1378]
      		 
      mysqld.exe!threadpool_process_request()[threadpool_common.cc:373]
      		 
      mysqld.exe!tp_callback()[threadpool_common.cc:192]
      		 
      ntdll.dll!RtlDllShutdownInProgress()
      		 
      ntdll.dll!DbgUiRemoteBreakin()
      		 
      kernel32.dll!BaseThreadInitThunk()
      		 
      ntdll.dll!RtlUserThreadStart()

      3: exception 0xc0000005

      		 
      ntdll.dll!RtlFreeHeap()
      		 
      ucrtbase.DLL!_free_base()
      		 
      mysqld.exe!delete_dynamic()[array.c:305]
      		 
      mysqld.exe!my_hash_free()[hash.c:159]
      		 
      mysqld.exe!THD::cleanup()[sql_class.cc:1558]
      		 
      mysqld.exe!THD::change_user()[sql_class.cc:1412]
      		 
      mysqld.exe!dispatch_command()[sql_parse.cc:1709]
      		 
      mysqld.exe!do_command()[sql_parse.cc:1378]
      		 
      mysqld.exe!threadpool_process_request()[threadpool_common.cc:373]
      		 
      mysqld.exe!tp_callback()[threadpool_common.cc:192]
      		 
      ntdll.dll!RtlDllShutdownInProgress()
      		 
      ntdll.dll!DbgUiRemoteBreakin()
      		 
      kernel32.dll!BaseThreadInitThunk()
      		 
      ntdll.dll!RtlUserThreadStart()

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          View 14 older comments
          hghua george he added a comment -

          After applying the fix in pull request #2892, a new crash appears when run this sql:
          select column_json(0x0402000900000003000300740C6A736E766F6C756D652E000900EFBFBD004300020045000200470003004A0004004E00050053000500580005005D000500620005000C67000C6A000C6D000C7000052C00051B00052C000CEFBFBD0007EFBFBD006638663966313070696332626F785F63626F785F67626F785F6B626F785F7666355F696402343402343402333241687474703A2F2F6F73732E68646238382E636F6D2F302F70686F746F2F30373865653765376336343634616236386130343833373333323636613532612E67696608302E303532323732244F1E00030180C106)

          I'm so disappointed!

          hghua george he added a comment - After applying the fix in pull request #2892, a new crash appears when run this sql: select column_json(0x0402000900000003000300740C6A736E766F6C756D652E000900EFBFBD004300020045000200470003004A0004004E00050053000500580005005D000500620005000C67000C6A000C6D000C7000052C00051B00052C000CEFBFBD0007EFBFBD006638663966313070696332626F785F63626F785F67626F785F6B626F785F7666355F696402343402343402333241687474703A2F2F6F73732E68646238382E636F6D2F302F70686F746F2F30373865653765376336343634616236386130343833373333323636613532612E67696608302E303532323732244F1E00030180C106) I'm so disappointed!
          hghua george he added a comment -

          I fix the bug and update the pull request.
          The bug was still in mysys/ma_dyncol.c/dynstr_append_json_quoted()

          hghua george he added a comment - I fix the bug and update the pull request. The bug was still in mysys/ma_dyncol.c/dynstr_append_json_quoted()
          danblack Daniel Black added a comment -

          Thanks hghua for the bug report and fix. This just missed the current in progress release but will be there for the next one.

          danblack Daniel Black added a comment - Thanks hghua for the bug report and fix. This just missed the current in progress release but will be there for the next one.
          serg Sergei Golubchik added a comment -

          Reopened, according to buildbot the test fails in the --view mode.

          serg Sergei Golubchik added a comment - Reopened, according to buildbot the test fails in the --view mode.
          danblack Daniel Black added a comment -

          Ack fixed - https://github.com/MariaDB/server/pull/3248 , though I might be just hiding some view mode mtr bug.

          danblack Daniel Black added a comment - Ack fixed - https://github.com/MariaDB/server/pull/3248 , though I might be just hiding some view mode mtr bug.

          People

            danblack Daniel Black
            hghua george he
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.