[MDEV-32416] Heap-Use-Sfter-Free at /mariadb-11.3.0/sql/item_strfunc.cc:2432 - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 11.3.0, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: Server
Labels:
None
Environment:
Ubuntu 20.04

Description

Run these queries in debug build:

CREATE TABLE t0 ( c16 TEXT , c42 INT ) ;
INSERT INTO t0 VALUES ( -57 , 60 ) , ( -5 , -28 ) ;
CREATE INDEX i0 ON t0 ( c16 ) ;
INSERT INTO t0 VALUES ( -9174437064508089785 , -87 ) , ( -43 , 41 ) ;
SELECT t0 . c42 AS c42 FROM ( SELECT DISTINCT c16 AS c16 FROM t0 GROUP BY c42 , c16 HAVING RPAD ( c42 , MIN( EXISTS ( SELECT CONCAT ( -2 , 'Z<B > V]1ZJ0g>Mexwz4' ) = ALL ( SELECT c42 AS c42 FROM t0 HAVING TRIM( TRAILING FROM c16 ) ) AS c28 , ROW_NUMBER ( ) OVER ( PARTITION BY 0 , -42 , -79 , 19 , -33 , NOT COUNT( DISTINCT 3 , ~ UNHEX ( -107 ) / REPEAT ( 23 , SIN ( -40 ) IS TRUE ) >> INSTR ( -33 , '!`tH^uPn1i>3%REeyf:' ) % SIN ( -35 ) ) << RAND ( ) & TRIM( TRAILING FROM -32 ) , -863219839305554182 , -5 ) AS c2 FROM ( SELECT NULL AS c45 FROM t0 ) AS t1 ) ) * + EXISTS ( SELECT NOT t0 . c42 = RAND ( ) / TRIM( c42 FROM 'L9OhrY3btSEK,' ) IS NOT FALSE AS c25 ) , 'nHs|4XQyN%VoZ%@O|"k*1T@]96CjJmG.a%8=|8<{L"[' ) ) AS t2 JOIN t0 ON t0 . c42 = t2 . c16 ;

Will trigger heap-use-after-free.
ASAN info:
=================================================================
==90846==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000dc28a at pc 0x000001527cb4 bp 0x7fffd24274f0 sp 0x7fffd24274e8
READ of size 1 at 0x6290000dc28a thread T15
#0 0x1527cb3 in Item_func_rtrim::val_str(String*) /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:2432:27
#1 0x150c0d8 in Item_str_func::val_real() /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:156:16
#2 0x10d6d80 in Type_handler_string_result::Item_val_bool(Item*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:5092:16
#3 0x13dc287 in Item_cond_and::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:5524:16
#4 0xc36c7c in end_send(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:24685:37
#5 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
#6 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9
#7 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#8 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#9 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#10 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23
#11 0x15b4baa in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21
#12 0x15b4baa in Item_in_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:994:3
#13 0x15be5df in Item_in_subselect::val_bool() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1991:7
#14 0x13b4fcb in Item_in_optimizer::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1664:17
#15 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19
#16 0x136cb0b in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15
#17 0x136cb0b in Item_cache_wrapper::val_bool() /home/wx/mariadb-11.3.0/sql/item.cc:9101:3
#18 0x13a5d60 in Item_func_not_all::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:222:24
#19 0x13552b7 in Item::save_int_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6843:16
#20 0x13554a8 in Item::save_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6853:30
#21 0xc9a3e6 in copy_funcs(Item*, THD const) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28843:11
#22 0xc9a3e6 in end_write_group(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25267:11
#23 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
#24 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9
#25 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#26 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#27 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#28 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23
#29 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21
#30 0x15bda3c in Item_exists_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1840:24
#31 0x160307a in Item_sum_min_max::reset_field() /home/wx/mariadb-11.3.0/sql/item_sum.cc:2796:24
#32 0xc98d3f in init_tmptable_sum_functions(Item_sum**) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28763:11
#33 0xc98d3f in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25138:3
#34 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
#35 0xbe340e in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23481:9
#36 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#37 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#38 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#39 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#40 0xa56eb6 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266:10
#41 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
#42 0xc71b7f in st_join_table::preread_init() /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029:7
#43 0xbe2fe9 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392:49
#44 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#45 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#46 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#47 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#48 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
#49 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
#50 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
#51 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
#52 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
#53 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
#54 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
#55 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
#56 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
#57 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#58 0x7ffff770f132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6290000dc28a is located 138 bytes inside of 16512-byte region [0x6290000dc200,0x6290000e0280)
freed by thread T15 here:
#0 0x7ca37d in free (/usr/local/mysql/bin/mariadbd+0x7ca37d)
#1 0x1dd1e62 in mem_heap_free(mem_block_info_t*) /home/wx/mariadb-11.3.0/storage/innobase/include/mem0mem.inl:419:3
#2 0x1dd1e62 in row_mysql_prebuilt_free_blob_heap(row_prebuilt_t*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0mysql.cc:101:2
#3 0x1e2a5b3 in row_sel_store_mysql_rec(unsigned char*, row_prebuilt_t*, unsigned char const*, dtuple_t const*, bool, dict_index_t const*, unsigned short const*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:3148:3
#4 0x1e2513c in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:5689:9
#5 0x1bbb5a1 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9289:24
#6 0x12e9459 in handler::ha_rnd_next(unsigned char*) /home/wx/mariadb-11.3.0/sql/handler.cc:3615:5
#7 0x8b8f83 in rr_sequential(READ_RECORD*) /home/wx/mariadb-11.3.0/sql/records.cc:513:35
#8 0xbe355b in READ_RECORD::read_record() /home/wx/mariadb-11.3.0/sql/records.h:81:30
#9 0xbe355b in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23461:18
#10 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#11 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#12 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#13 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#14 0xa56eb6 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266:10
#15 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
#16 0xc71b7f in st_join_table::preread_init() /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029:7
#17 0xbe2fe9 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392:49
#18 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#19 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#20 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#21 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#22 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
#23 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
#24 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
#25 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
#26 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
#27 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
#28 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
#29 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
#30 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
#31 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T15 here:
#0 0x7ca5fd in malloc (/usr/local/mysql/bin/mariadbd+0x7ca5fd)
#1 0x1bfa497 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /home/wx/mariadb-11.3.0/storage/innobase/include/ut0new.h:375:11
#2 0x1cdd194 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/mem/mem0mem.cc:277:37
#3 0x1e38469 in mem_heap_create_func(unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/include/mem0mem.inl:377:10
#4 0x1e38469 in row_sel_store_mysql_field(unsigned char*, row_prebuilt_t*, unsigned char const*, dict_index_t const*, unsigned short const*, unsigned long, mysql_row_templ_t const*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:3089:27
#5 0x1e2a2ca in row_sel_store_mysql_rec(unsigned char*, row_prebuilt_t*, unsigned char const*, dtuple_t const*, bool, dict_index_t const*, unsigned short const*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:3235:8
#6 0x1e2513c in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:5689:9
#7 0x1bbaeb4 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9029:5
#8 0x1bbbdc3 in ha_innobase::index_first(unsigned char*) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9385:14
#9 0x1bbbdc3 in ha_innobase::rnd_next(unsigned char*) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9477:11
#10 0x12e9459 in handler::ha_rnd_next(unsigned char*) /home/wx/mariadb-11.3.0/sql/handler.cc:3615:5
#11 0x8b8f83 in rr_sequential(READ_RECORD*) /home/wx/mariadb-11.3.0/sql/records.cc:513:35
#12 0xbe32cb in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23441:12
#13 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#14 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#15 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#16 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#17 0xa56eb6 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266:10
#18 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
#19 0xc71b7f in st_join_table::preread_init() /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029:7
#20 0xbe2fe9 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392:49
#21 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#22 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#23 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#24 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#25 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
#26 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
#27 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
#28 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
#29 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
#30 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
#31 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
#32 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
#33 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3

Thread T15 created by T0 here:
#0 0x7b502a in pthread_create (/usr/local/mysql/bin/mariadbd+0x7b502a)
#1 0x1a00edd in my_thread_create(unsigned long*, pthread_attr_t const*, void* (void*), void*) /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52:10
#2 0x1a00edd in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252:15
#3 0x80e649 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (void*), void*) /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139:11
#4 0x80e649 in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150:19
#5 0x80f608 in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212:3
#6 0x80f608 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274:5
#7 0x80caa8 in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398:9
#8 0x8051de in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045:3
#9 0x7ffff7614082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:2432:27 in Item_func_rtrim::val_str(String*)
Shadow bytes around the buggy address:
0x0c5280013800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280013810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280013820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280013830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280013840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5280013850: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280013860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280013870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280013880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280013890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c52800138a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==90846==ABORTING

Attachments

Issue Links

relates to

MDEV-32759 Heap-Use-After-Free at /mariadb-11.3.0/strings/dtoa.c:1378

Stalled

Heap-Use-Sfter-Free at /mariadb-11.3.0/sql/item_strfunc.cc:2432

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration