Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6, 10.11, 11.4, 11.8, 12.1, 12.2
-
None
-
None
Description
The following script:
let $MYSQLD_DATADIR= `select @@datadir`;
|
--mkdir $MYSQLD_DATADIR/db-1
|
--write_file $MYSQLD_DATADIR/db-1/v1.frm
|
TYPE=VIEW
|
query=select `0_________1_________2_________3_________4_________5____`
|
 |
EOF
|
ALTER DATABASE `#mysql50#db-1` UPGRADE DATA DIRECTORY NAME;
|
leads to:
==39755==ERROR: AddressSanitizer: use-after-poison on address 0x7123874d1893 at pc 0x725389ae5c36 bp 0x6e5378272960 sp 0x6e5378272108
|
READ of size 3 at 0x7123874d1893 thread T5
|
#0 0x725389ae5c35 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:848
|
#1 0x725389ae6838 in memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:879
|
#2 0x725389ae6838 in memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:874
|
#3 0x5a6a78917e61 in File_parser::parse(unsigned char*, st_mem_root*, File_option*, unsigned int, Unknown_key_hook*) const /src/mariadb/sql/parse_file.cc:830
|
#4 0x5a6a79c47712 in mysql_rename_view(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*) /src/mariadb/sql/sql_view.cc:2370
|
#5 0x5a6a79432f22 in do_rename /src/mariadb/sql/sql_rename.cc:454
|
#6 0x5a6a79433b68 in rename_tables /src/mariadb/sql/sql_rename.cc:548
|
#7 0x5a6a7942efcd in mysql_rename_tables(THD*, TABLE_LIST*, bool, bool) /src/mariadb/sql/sql_rename.cc:166
|
#8 0x5a6a78eb5082 in mysql_upgrade_db(THD*, Lex_ident_db const&) /src/mariadb/sql/sql_db.cc:2021
|
#9 0x5a6a792625fa in mysql_execute_command(THD*, bool) /src/mariadb/sql/sql_parse.cc:5072
|
#10 0x5a6a7929c49f in mysql_parse(THD*, char*, unsigned int, Parser_state*) /src/mariadb/sql/sql_parse.cc:7883
|
#11 0x5a6a7921975c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /src/mariadb/sql/sql_parse.cc:1878
|
#12 0x5a6a7920db75 in do_command(THD*, bool) /src/mariadb/sql/sql_parse.cc:1417
|
#13 0x5a6a79f05cdf in do_handle_one_connection(CONNECT*, bool) /src/mariadb/sql/sql_connect.cc:1414
|
#14 0x5a6a79f04d6e in handle_one_connection /src/mariadb/sql/sql_connect.cc:1326
|
#15 0x5a6a7c633da9 in pfs_spawn_thread /src/mariadb/storage/perfschema/pfs.cc:2198
|
#16 0x725389a5f972 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:239
|
#17 0x7253882a27f0 in start_thread nptl/pthread_create.c:448
|
#18 0x725388333b5b in __clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
Changing the check inside File_parser::parse() from:
if (len < (size_t)(end-ptr) && ptr[len] != '=')
|
to:
if ((len < (size_t)(end - ptr) && ptr[len] != '=') || len > (size_t)(end - ptr))
|
...fixes the issue for me.
Reproduced on main(b8a7728963).