Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
11.6.0
-
None
-
Ubuntu 23.1
Description
If the client asks to execute a prepared statement with parameters for
the first time, but the client's execute packet specifies a
new_params_bind_flag of zero, then this code in setup_conversion_functions()
in sql_prepare.c doesn't set up the charsets for the parameters,
because *read_pos is zero:
if (*read_pos++) //types supplied / first execute |
{
|
*data= read_pos;
|
bool res= set_conversion_functions(stmt, data); |
DBUG_RETURN(res);
|
}
|
*data= read_pos;
|
As a result, the value.cs_info fields are never initialized, so the
value m_charset's are never initialized, but they are deferenced when
the parameter values are attempted to be converted, perhaps causing a
crash.
I've attached a demo client program. It assumes there's an existing
database d and table t:
CREATE DATABASE d; |
CREATE TABLE t (s1 int); |
It connects to the local DB server as user root and no password. It sends
a PREPARE and then an EXECUTE. I've attached the crash output from the
server. Here's a gdb backtrace:
#0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
|
#1 __pthread_kill_internal (signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
|
#2 __GI___pthread_kill (threadid=<optimized out>, signo=11) at ./nptl/pthread_kill.c:89
|
#3 0x00005bb1bfb5c135 in my_write_core (sig=11) at /home/rtm/maria/server/mysys/stacktrace.c:424
|
#4 0x00005bb1bf1ae999 in handle_fatal_signal (sig=11) at /home/rtm/maria/server/sql/signal_handler.cc:357
|
#5 <signal handler called>
|
#6 0x00005bb1bfbd35a9 in my_string_metadata_get (metadata=0x7be2481afeb0, cs=0xa5a5a5a5a5a5a5a5, str=0x7be220027b88 "\376", length=1)
|
at /home/rtm/maria/server/strings/ctype.c:913
|
#7 0x00005bb1bec28ce2 in Item_basic_value::Metadata::Metadata (this=0x7be2481afeb0, str=0x7be22001f8e8)
|
at /home/rtm/maria/server/sql/item.h:3005
|
#8 0x00005bb1bf1faeea in Item_basic_value::fix_charset_and_length_from_str_value (this=0x7be22001f7c8, str=..., dv=DERIVATION_COERCIBLE)
|
at /home/rtm/maria/server/sql/item.h:3034
|
#9 0x00005bb1bf1e4f4f in Item_param::convert_str_value (this=0x7be22001f7c8, thd=0x7be220000dc8) at /home/rtm/maria/server/sql/item.cc:4832
|
#10 0x00005bb1bedb54ce in insert_params (stmt=0x7be22001d098, null_array=0x7be22000bd22 "\002", read_pos=0x7be22000bd26 "",
|
data_end=0x7be22000bd39 "", expanded_query=0x7be2481b00c0) at /home/rtm/maria/server/sql/sql_prepare.cc:882
|
#11 0x00005bb1bedbd9d6 in Prepared_statement::set_parameters (this=0x7be22001d098, expanded_query=0x7be2481b00c0,
|
packet=0x7be22000bd24 "\001\376", packet_end=0x7be22000bd39 "") at /home/rtm/maria/server/sql/sql_prepare.cc:4371
|
#12 0x00005bb1bedbdb5f in Prepared_statement::execute_loop (this=0x7be22001d098, expanded_query=0x7be2481b00c0, open_cursor=false,
|
packet=0x7be22000bd22 "\002", packet_end=0x7be22000bd39 "") at /home/rtm/maria/server/sql/sql_prepare.cc:4438
|
#13 0x00005bb1bedbad51 in mysql_stmt_execute_common (thd=0x7be220000dc8, stmt_id=1, packet=0x7be22000bd22 "\002",
|
packet_end=0x7be22000bd39 "", cursor_flags=0, bulk_op=false, read_types=false, send_unit_results=false)
|
at /home/rtm/maria/server/sql/sql_prepare.cc:3372
|
#14 0x00005bb1bedba541 in mysqld_stmt_execute (thd=0x7be220000dc8, packet_arg=0x7be22000bd19 "\001", packet_length=32)
|
at /home/rtm/maria/server/sql/sql_prepare.cc:3140
|
#15 0x00005bb1bed6dee4 in dispatch_command (command=COM_STMT_EXECUTE, thd=0x7be220000dc8, packet=0x7be22000bd19 "\001", packet_length=32,
|
blocking=true) at /home/rtm/maria/server/sql/sql_parse.cc:1817
|
#16 0x00005bb1bed6cd1b in do_command (thd=0x7be220000dc8, blocking=true) at /home/rtm/maria/server/sql/sql_parse.cc:1405
|
#17 0x00005bb1bef75f23 in do_handle_one_connection (connect=0x5bb1c3665288, put_in_cache=true)
|
at /home/rtm/maria/server/sql/sql_connect.cc:1447
|
#18 0x00005bb1bef75c91 in handle_one_connection (arg=0x5bb1c3665288) at /home/rtm/maria/server/sql/sql_connect.cc:1349
|
#19 0x00005bb1bf4f23ac in pfs_spawn_thread (arg=0x5bb1c35b3cf8) at /home/rtm/maria/server/storage/perfschema/pfs.cc:2201
|
#20 0x00007be261097b5a in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:444
|
#21 0x00007be2611285fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
Attachments
Issue Links
- relates to
-
-
- Open
-