Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Incomplete
-
10.2.5
-
None
-
None
Description
Description
MariaDB server crashes with SIGSEGV when executing a query that combines a window function with ORDER BY on a query
that produces an empty result set (e.g., WHERE 1=0). The crash occurs because the Filesort constructor does not
initialize its tracker member pointer. When filesort() is called during window function aggregation, it dereferences
this uninitialized pointer, which contains debug fill bytes (0xa5a5a5a5a5a5a5a5) from the memory allocator.
Minimal Reproducible Test Case
CREATE TABLE t (a INT);
INSERT INTO t VALUES (1);
SELECT COUNT
OVER () AS cnt FROM t WHERE 1=0 ORDER BY cnt;
Expected result: Empty set (0 rows).
Actual result: Server crashes with SIGSEGV.
Environment
- Server version: 10.2.5-MariaDB-debug
- OS: Linux (kernel 4.x / 6.x)
- Storage engine: InnoDB
- Build type: Debug
Stack Trace
Exec_time_tracker::get_loops() sql_analyze_stmt.h:74
Filesort_tracker::report_use(ha_rows) sql_analyze_stmt.h:191
filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, ...) filesort.cc:216
create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) sql_select.cc:21480
st_join_table::sort_table() sql_select.cc
join_init_read_record(st_join_table*) sql_select.cc
AGGR_OP::end_send() sql_select.cc
sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) sql_select.cc
JOIN::exec_inner() sql_select.cc
JOIN::exec() sql_select.cc
mysql_select(...) sql_select.cc
handle_select(...) sql_select.cc
mysql_execute_command(...) sql_select.cc
mysql_parse(...) sql_parse.cc
dispatch_command(...) sql_parse.cc
do_command(...) sql_parse.cc