ASAN heap-buffer-overflow in table_def::calc_field_size | unpack_row

CREATE OR REPLACE TABLE t1 (id int(11) default NULL) ENGINE=InnoDB;

SET GLOBAL slave_exec_mode=IDEMPOTENT;

BINLOG 'wlZOTw8BAAAA8QAAAPUAAAAAAAQANS41LjIxLU1hcmlhREItZGVidWctbG9nAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAEzgNAAgAEgAEBAQEEgAA2QAEGggAAAAICAgCAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA371saA==';

binlog 'bBf2ZBMBAAAANAAAAHUkAAAAAHEAAAAAAAEABHRlc3QAAnQxAAQDDw8IBP0C4h0AaTGFIg==bBf2ZBgBAAAASAAAAL0kAAAAAHEAAAAAAAEABP//8I+kAAABAGIBAGWuv1VNCQAAAPBuWwAAAQBiAQBlrr9VTQkAAADxS9Lu'; 

==739568==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700001d5ad at pc 0x55623361ac33 bp 0x14a888dea5b0 sp 0x14a888dea5a0

READ of size 1 at 0x60700001d5ad thread T31

    #0 0x55623361ac32 in table_def::calc_field_size(unsigned int, unsigned char*) const /test/server_opt_san/sql/rpl_utility.cc:131

    #1 0x556234dbb91c in unpack_row(rpl_group_info*, TABLE*, unsigned int, unsigned char const*, st_bitmap const*, unsigned char const**, unsigned long*, unsigned char const*) /test/server_opt_san/sql/rpl_record.cc:398

    #2 0x556234d8fb93 in Rows_log_event::unpack_current_row(rpl_group_info*) /test/server_opt_san/sql/log_event.h:5178

    #3 0x556234d8fb93 in Rows_log_event::find_row(rpl_group_info*) /test/server_opt_san/sql/log_event_server.cc:7890

    #4 0x556234d96649 in Update_rows_log_event::do_exec_row(rpl_group_info*) /test/server_opt_san/sql/log_event_server.cc:8390

    #5 0x556234d17ff1 in Rows_log_event::do_apply_event(rpl_group_info*) /test/server_opt_san/sql/log_event_server.cc:5741

    #6 0x5562335cc54e in Log_event::apply_event(rpl_group_info*) /test/server_opt_san/sql/log_event.h:1492

    #7 0x5562335cc54e in mysql_client_binlog_statement(THD*) /test/server_opt_san/sql/sql_binlog.cc:357

    #8 0x556232e9764b in mysql_execute_command(THD*) /test/server_opt_san/sql/sql_parse.cc:6073

    #9 0x556232e19b0d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/server_opt_san/sql/sql_parse.cc:8196

    #10 0x556232e7894f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/server_opt_san/sql/sql_parse.cc:1891

    #11 0x556232e84ad2 in do_command(THD*) /test/server_opt_san/sql/sql_parse.cc:1375

    #12 0x5562336a0488 in do_handle_one_connection(CONNECT*, bool) /test/server_opt_san/sql/sql_connect.cc:1415

    #13 0x5562336a2afc in handle_one_connection /test/server_opt_san/sql/sql_connect.cc:1317

    #14 0x14a8b0049608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

    #15 0x14a8af2be132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Address 0x60700001d5ad is a wild pointer.

SUMMARY: AddressSanitizer: heap-buffer-overflow /test/server_opt_san/sql/rpl_utility.cc:131 in table_def::calc_field_size(unsigned int, unsigned char*) const

2024-02-29 10:41:53 4 [ERROR] mariadbd: Can't find record in 't1'

2024-02-29 10:41:53 4 [Warning]  BINLOG_BASE64_EVENT: Could not execute Update_rows_v1 event on table test.t1; Can't find record in 't1', Error_code: 1032; handler error HA_ERR_END_OF_FILE; the event's master log FIRST, end_log_pos 9405, Internal MariaDB error code: 1032

240229 10:41:53 [ERROR] mysqld got signal 11 ;

Sorry, we probably made a mistake, and this is a bug.

Your assistance in bug reporting will enable us to fix this for the next release.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.5.25-MariaDB-debug source revision: d57c44f62635d6afe026345c11b13f543741e83e

key_buffer_size=134217728

read_buffer_size=131072

max_used_connections=1

max_threads=10002

thread_count=1

It is possible that mysqld could use up to 

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 22153496 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00007e218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x14b482f93bc0 thread_stack 0xb00000

/test/UBASAN_MD270224-mariadb-10.5.25-linux-x86_64-dbg/bin/mariadbd(+0x7d6f780)[0x55860fab2780]

/test/UBASAN_MD270224-mariadb-10.5.25-linux-x86_64-dbg/bin/mariadbd(my_print_stacktrace+0xfb)[0x55861460c4cb]

asan_interceptors.o:0(__interceptor_backtrace.part.0)[0x558611933aba]

sigaction.c:0(__restore_rt)[0x14b4aa865420]

sql/rpl_utility.cc:131(table_def::calc_field_size(unsigned int, unsigned char*) const)[0x558610c66026]

sql/rpl_record.cc:399(unpack_row(rpl_group_info*, TABLE*, unsigned int, unsigned char const*, st_bitmap const*, unsigned char const**, unsigned long*, unsigned char const*))[0x558612861a8d]

sql/log_event_server.cc:7892(Rows_log_event::find_row(rpl_group_info*))[0x55861283245b]

sql/log_event_server.cc:8390(Update_rows_log_event::do_exec_row(rpl_group_info*))[0x55861283af7a]

sql/log_event_server.cc:5741(Rows_log_event::do_apply_event(rpl_group_info*))[0x5586127b2ca4]

sql/log_event.h:1492(Log_event::apply_event(rpl_group_info*))[0x558610c08eb5]

sql/sql_parse.cc:6073(mysql_execute_command(THD*))[0x5586103988a8]

sql/sql_parse.cc:8213(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5586102dacd2]

sql/sql_parse.cc:1891(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55861034e50b]

sql/sql_parse.cc:1375(do_command(THD*))[0x558610360351]

sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x558610d133d4]

sql/sql_connect.cc:1317(handle_one_connection)[0x558610d15b4e]

nptl/pthread_create.c:478(start_thread)[0x14b4aa859609]

addr2line: DWARF error: section .debug_info is larger than its filesize! (0x93ef57 vs 0x530ea0)

/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x14b4a9ace133]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x62b000085238): binlog 'bBf2ZBMBAAAANAAAAHUkAAAAAHEAAAAAAAEABHRlc3QAAnQxAAQDDw8IBP0C4h0AaTGFIg==bBf2ZBgBAAAASAAAAL0kAAAAAHEAAAAAAAEABP//8I+kAAABAGIBAGWuv1VNCQAAAPBuWwAAAQBiAQBlrr9VTQkAAADxS9Lu'

Compiled with GCC >=7.5.0 (I use GCC 11.4.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1