[MDEV-39653] AddressSanitizer: heap-use-after-free in my_mb_wc_latin1/../Field_xmltype::store after invalid xml - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 12.3
Fix Version/s: 12.3.2
Component/s: XML
Labels:
None

Bug Category:
Can result in hang or crash
Sprint:
Q2/2026 Server Development

Description

CREATE TABLE t1 (i INT);

INSERT INTO t1 VALUES (1),(2),(3),(4);

CREATE TABLE t2 (x XMLTYPE not null);

INSERT IGNORE INTO t2 SELECT i FROM t1;

2026-05-18 16:27:21 0 [Note] Starting MariaDB 12.3.2-MariaDB-asan-debug-log source revision 6e20438a1cad72054ec3f4732f0bd48f55b773dd

Version: '12.3.2-MariaDB-asan-debug-log'

=================================================================

==3313587==ERROR: AddressSanitizer: heap-use-after-free on address 0x50400001f9b0 at pc 0x5c49f8c23af0 bp 0x6d790135e000 sp 0x6d790135dff0

READ of size 1 at 0x50400001f9b0 thread T13

    #0 0x5c49f8c23aef in my_mb_wc_latin1 /12.3/src/strings/ctype-latin1.c:376

    #1 0x5c49f8c8fabe in my_convert_using_func /12.3/src/strings/ctype.c:1166

    #2 0x5c49f6c8ba58 in err_conv(char*, unsigned int, char const*, unsigned int, charset_info_st const*) /12.3/src/sql/sql_error.cc:980

    #3 0x5c49f6a9769e in ErrBuff::set_str(char const*, unsigned long, charset_info_st const*) const /12.3/src/sql/sql_error.h:875

    #4 0x5c49f6a97767 in ErrConvString::lex_cstring() const /12.3/src/sql/sql_error.h:922

    #5 0x5c49f8d94863 in ErrConv::ptr() const /12.3/src/sql/sql_error.h:903

    #6 0x5c49f8d94863 in Field_xmltype::store(char const*, unsigned long, charset_info_st const*) /12.3/src/plugin/type_xmltype/sql_type_xmltype.cc:224

    #7 0x5c49f75312d9 in Field_blob::store_field(Field*) /12.3/src/sql/field.h:4645

    #8 0x5c49f775a81f in field_conv_incompatible /12.3/src/sql/field_conv.cc:924

    #9 0x5c49f7760329 in field_conv(Field*, Field*) /12.3/src/sql/field_conv.cc:937

    #10 0x5c49f77e9483 in save_field_in_field /12.3/src/sql/item.cc:7193

    #11 0x5c49f77e983b in Item_field::save_in_field(Field*, bool) /12.3/src/sql/item.cc:7243

    #12 0x5c49f6bb561e in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool, bool) /12.3/src/sql/sql_base.cc:9537

    #13 0x5c49f6bb5b3e in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type, bool*) /12.3/src/sql/sql_base.cc:9596

    #14 0x5c49f6ca1f61 in select_insert::store_values(List<Item>&, bool*) /12.3/src/sql/sql_insert.cc:4579

    #15 0x5c49f6ca92f7 in select_insert::send_data(List<Item>&) /12.3/src/sql/sql_insert.cc:4511

    #16 0x5c49f6c1b5d7 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /12.3/src/sql/sql_class.cc:3309

    #17 0x5c49f6eae4f4 in end_send /12.3/src/sql/sql_select.cc:25937

    #18 0x5c49f6e737c0 in evaluate_join_record /12.3/src/sql/sql_select.cc:24810

    #19 0x5c49f6e8abd4 in sub_select(JOIN*, st_join_table*, bool) /12.3/src/sql/sql_select.cc:24577

    #20 0x5c49f6ecb87d in do_select /12.3/src/sql/sql_select.cc:24088

    #21 0x5c49f6f341ca in JOIN::exec_inner() /12.3/src/sql/sql_select.cc:5125

    #22 0x5c49f6f34529 in JOIN::exec() /12.3/src/sql/sql_select.cc:4913

    #23 0x5c49f6f2feac in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /12.3/src/sql/sql_select.cc:5439

    #24 0x5c49f6f306b8 in handle_select(THD*, LEX*, select_result*, unsigned long long) /12.3/src/sql/sql_select.cc:636

    #25 0x5c49f6d88a74 in mysql_execute_command(THD*, bool) /12.3/src/sql/sql_parse.cc:4704

    #26 0x5c49f6d91bb8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /12.3/src/sql/sql_parse.cc:7949

    #27 0x5c49f6d95968 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /12.3/src/sql/sql_parse.cc:1903

    #28 0x5c49f6d9a705 in do_command(THD*, bool) /12.3/src/sql/sql_parse.cc:1437

    #29 0x5c49f725b4bb in do_handle_one_connection(CONNECT*, bool) /12.3/src/sql/sql_connect.cc:1503

    #30 0x5c49f725b9a0 in handle_one_connection /12.3/src/sql/sql_connect.cc:1415

    #31 0x5c49f7f408cf in pfs_spawn_thread /12.3/src/storage/perfschema/pfs.cc:2198

    #32 0x75791c05ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234

    #33 0x75791b09caa3 in start_thread nptl/pthread_create.c:447

    #34 0x75791b129c6b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x50400001f9b0 is located 32 bytes inside of 48-byte region [0x50400001f990,0x50400001f9c0)

freed by thread T13 here:

    #0 0x75791c0fc4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52

    #1 0x5c49f8bab440 in my_free /12.3/src/mysys/my_malloc.c:218

previously allocated by thread T13 here:

    #0 0x75791c0fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69

    #1 0x5c49f8baaed7 in my_malloc /12.3/src/mysys/my_malloc.c:93

Thread T13 created by T0 here:

    #0 0x75791c0f51f9 in pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:245

    #1 0x5c49f7f40b2c in my_thread_create /12.3/src/storage/perfschema/my_thread.h:38

    #2 0x5c49f7f40b2c in pfs_spawn_thread_v1 /12.3/src/storage/perfschema/pfs.cc:2249

SUMMARY: AddressSanitizer: heap-use-after-free /12.3/src/strings/ctype-latin1.c:376 in my_mb_wc_latin1

Shadow bytes around the buggy address:

  0x50400001f700: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa

  0x50400001f780: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd

  0x50400001f800: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa

  0x50400001f880: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa

  0x50400001f900: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa

=>0x50400001f980: fa fa fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa

  0x50400001fa00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x50400001fa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x50400001fb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x50400001fb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x50400001fc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==3313587==ABORTING

Attachments

Issue Links

is caused by

MDEV-39124 XMLTYPE: allow only well-formed XML

Closed

relates to

MDEV-39669 make IGNORE affect GEOMETRY and XMLTYPE errors

Open

Activity

People

Assignee:: Alexey Botchkov

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2026-05-18 14:32

Updated:: 2026-05-20 10:11

Resolved:: 2026-05-20 10:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.