[MDEV-36575] a NULL pointer dereference located in get_sort_by_table function within sql/sql_select.cc at line 28069. - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 11.4.0
Fix Version/s: N/A
Component/s: Optimizer
Labels:
None
Environment:
ubuntu20.04,x86

Bug Category:
Not for Release Notes

Description

This vulnerability is located in MariaDB's get_sort_by_table function within sql/sql_select.cc at line 28069. The issue is caused by a NULL pointer dereference when accessing table->table->map without proper null-checks. During the execution of make_join_statistics, the code assumes valid table pointers, which may not hold under certain malformed queries, leading to a segmentation fault. An attacker can exploit this to trigger a denial-of-service (DoS).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

gdbcheck_bug1017.log
2025-04-13 08:57
3 kB
yx
bug1017.sql
2025-05-25 09:02
0.2 kB
yx

Activity

People

Assignee:: Unassigned

Reporter:: yx

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2025-04-13 08:57

Updated:: 2025-06-03 15:23

Resolved:: 2025-06-03 15:23

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.