Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.11, 11.4, 11.8, 12.3, 12.3.2
-
Linux x86_64, Docker container
Description
~~~sql
SELECT TO_CHAR ( x , 'YYYY-MON-DAY' ) FROM ( SELECT JSON_UNQUOTE ( GREATEST ( maketime ( 10 , 11 , x = CASE WHEN ( SELECT ( 1 ) WHERE x IS NULL OR ST_LONGFROMGEOHASH ( ST_GEOHASH ( -180 , 0 , 20 ) ) GROUP BY 'x' ) - 1 THEN ( 1 ^ x ) ELSE CASE WHEN CASE WHEN extractvalue ( '<a>A<b>B1</b><b>B2</b></a>' , '/a/b[count(.)=1]' ) NOT IN ( SELECT * FROM ( SELECT 2 UNION SELECT 3 UNION SELECT 'LINESTRING(0 0,-0.00 0)' ) AS x GROUP BY x HAVING NOT NOT ( x ) ) THEN 1 ELSE 1 END THEN 1 WHEN 'x' LIKE 'x' THEN 1 END END ) , 1323 ) ) AS x FROM ( SELECT json_unquote ( concat_ws ( ', ' , 2 , 1 ) ) AS x UNION SELECT 'test2' ) AS x ) AS x ;
~~~
-
- Expected result
The server should either execute the query or return a normal SQL error without crashing.
- Expected result
-
- Actual result
The fuzzing run observed a server crash. The deduplicated stack signature is:
~~~
stack:_ZNK10Item_field11used_tablesEv|_ZL12remove_constP4JOINP8st_orderP4ItembPb|_ZN4JOIN14optimize_innerEv|_ZN4JOIN8optimizeEv|_ZN13st_select_lex31optimize_unflattened_subqueriesEb|_ZN4JOIN15optimize_stage2Ev|_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex|_Z13handle_selectP3THDP3LEXP13select_resulty
~~~
- Actual result
Top frames:
~~~
_ZNK10Item_field11used_tablesEv
_ZL12remove_constP4JOINP8st_orderP4ItembPb
_ZN4JOIN14optimize_innerEv
_ZN4JOIN8optimizeEv
_ZN13st_select_lex31optimize_unflattened_subqueriesEb
_ZN4JOIN15optimize_stage2Ev
_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex
_Z13handle_selectP3THDP3LEXP13select_resulty
~~~