[MDEV-39540] crash due to narrowing cast in update_ref_and_keys() - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.3
Fix Version/s: 10.6.26, 10.11.17, 11.4.11, 11.8.7, 12.3.2
Component/s: Optimizer
Labels:
None

Bug Category:
Can result in hang or crash

Description

update_ref_and_keys(THD thd, DYNAMIC_ARRAY keyuse,JOIN_TAB *join_tab,
7377	sz= MY_MAX(sizeof(KEY_FIELD),sizeof(SARGABLE_PARAM))*
7378	((sel->cond_count2 + sel->between_count)m+1);
7379	if (!(key_fields=(KEY_FIELD*) thd->alloc(sz)))
7380	DBUG_RETURN(TRUE); /* purecov: inspected */

but sz is uint. When the size is larger than 2³², sz wraps around, key_fields is allocated too small which causes a crash later (esp. with ASAN). See the attached test case.

Reported by Ben Bidner (Automattic.com Security Team).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

poc_select_overflow.sql
2.39 MB
2026-05-06 11:24

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2026-05-06 11:16

Updated:: 2026-05-27 11:32

Resolved:: 2026-05-06 12:56

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.