Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36571

a null pointer dereference in the sortlength function within filesort.cc at line 2183

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Duplicate
    • 11.4.0
    • N/A
    • Optimizer
    • None
    • ubuntu 20.04,x86

    Description

      A segmentation fault in MariaDB occurs due to a null pointer dereference in the sortlength function within filesort.cc at line 2183. Specifically, the server attempts to access a method on sortorder->item without ensuring it is a valid object, relying on item->type_handler()->is_packable() without a preceding null check. This crash is triggered during the execution of filesort() as part of an UPDATE query with an ORDER BY clause. A crafted SQL statement can exploit this flaw to cause a denial-of-service (DoS) condition by crashing the mariadbd process

      Attachments

        1. 0.sql
          0.3 kB
          yx
        2. gdbcheck_bug0.log
          3 kB
          yx

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33177 Assertion `!order->item[0]->with_sum_func()' failed

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              Unassigned Unassigned
              yx yx
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.