[MDEV-36581] a NULL pointer dereference vulnerability located in the function select_value_catcher::setup at sql/opt_subselect.cc:6044 - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 11.4.0
Fix Version/s: N/A
Component/s: Optimizer
Labels:
None
Environment:
ubuntu20.04,x86

Bug Category:
Not for Release Notes

Description

This is a NULL pointer dereference vulnerability in MariaDB located in the function select_value_catcher::setup at sql/opt_subselect.cc:6044. The function is called during the optimization of a semi-join involving a subquery, specifically in execute_degenerate_jtbm_semi_join(). The items parameter is nullptr, but the function assumes it is a valid pointer, leading to a segmentation fault. An attacker can trigger this by crafting a malicious UPDATE or SELECT query with certain semi-join patterns, resulting in a denial-of-service (DoS).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

bug1234.sql
0.3 kB
2025-05-25 13:06
gdbcheck_bug1234.log
3 kB
2025-04-13 09:45

Issue Links

duplicates

MDEV-22700 Assertion `subq_pred->engine->engine_type() == subselect_engine::SINGLE_SELECT_ENGINE' failed in setup_jtbm_semi_joins

Stalled

Activity

People

Assignee:: Unassigned

Reporter:: yx

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-04-13 09:45

Updated:: 2025-06-17 18:02

Resolved:: 2025-06-17 18:02

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.