Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
12.3.2
-
None
-
Linux x86_64, Docker container
-
Not for Release Notes
Description
~~~sql
SELECT LOWER ( ( WITH RECURSIVE x ( x ) AS ( SELECT FROM_UNIXTIME ( SHA ( '$.b[ 1 ].c' ) ) AS x GROUP BY x HAVING avg ( x ) IS NOT NULL INTERSECT SELECT 1 AS x INTERSECT SELECT x + 1 FROM x WHERE EXISTS ( WITH x ( x ) AS ( SELECT truncate ( -5678.123535 , -4 ) AS x UNION SELECT format_bytes ( pow ( 2 , 400 ) ) FROM x ) SELECT * FROM x ) ) SELECT x FROM x WHERE x IN ( SELECT x FROM x WHERE MBRCOVEREDBY ( ST_GEOMFROMTEXT ( 'POINT(0 0)' ) , ST_GEOMFROMTEXT ( 'MULTILINESTRING((0 0,10 0))' ) ) AND x IN ( SELECT x FROM x WHERE 1 BETWEEN 1 AND 5 OR 5 BETWEEN 1 AND 5 OR 8 BETWEEN 1 AND 5 OR 9 BETWEEN 1 AND 5 AND x LIKE 'your_table_name%' ) ) GROUP BY ( x > 'o' ) , x % 2 ORDER BY x LIMIT 1 ) ) ;
~~~
-
- Expected result
The server should either execute the query or return a normal SQL error without crashing.
- Expected result
-
- Actual result
The fuzzing run observed a server crash. The deduplicated stack signature is:
~~~
stack:_ZN18st_select_lex_unit14exec_recursiveEv|_ZN10TABLE_LIST14fill_recursiveEP3THD|_ZL18mysql_derived_fillP3THDP3LEXP10TABLE_LIST|_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj|_ZN13st_join_table12preread_initEv|_Z10sub_selectP4JOINP13st_join_tableb|_ZN4JOIN10exec_innerEv|_ZN4JOIN4execEv
~~~
- Actual result
Top frames:
~~~
_ZN18st_select_lex_unit14exec_recursiveEv
_ZN10TABLE_LIST14fill_recursiveEP3THD
_ZL18mysql_derived_fillP3THDP3LEXP10TABLE_LIST
_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj
_ZN13st_join_table12preread_initEv
_Z10sub_selectP4JOINP13st_join_tableb
_ZN4JOIN10exec_innerEv
_ZN4JOIN4execEv
~~~
Attachments
Issue Links
- duplicates
-
-
- Confirmed
-