[MDEV-4513] Valgrind warnings (Conditional jump or move depends on uninitialised value) in inflate on UNCOMPRESS - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.0.2, 5.5.31, 5.3.12, 5.5(EOL), 10.0(EOL)
Fix Version/s: 5.5.41, 10.0.15
Component/s: Tests
Labels:
- upstream-fixed

Description

Also reproducible on MySQL 5.5, 5.6, 5.7 and filed as http://bugs.mysql.com/bug.php?id=69202

SELECT UNCOMPRESS( CAST( 0 AS BINARY(5) ) );

==26747== Thread 4:

==26747== Conditional jump or move depends on uninitialised value(s)

==26747==    at 0x4E3BF0C: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)

==26747==    by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)

==26747==    by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)

==26747==    by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)

==26747==    by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)

==26747==    by 0x711486: JOIN::exec() (sql_select.cc:2152)

==26747==    by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)

==26747==    by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)

==26747==    by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)

==26747==    by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)

==26747==    by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)

==26747==    by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)

==26747==    by 0x689BDF: do_command(THD*) (sql_parse.cc:923)

==26747==    by 0x68663A: handle_one_connection (sql_connect.cc:1231)

==26747==    by 0x548DE99: start_thread (pthread_create.c:308)

==26747==    by 0x5F9ACBC: clone (clone.S:112)

==26747== Conditional jump or move depends on uninitialised value(s)

==26747==    at 0x4E3BF79: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)

==26747==    by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)

==26747==    by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)

==26747==    by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)

==26747==    by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)

==26747==    by 0x711486: JOIN::exec() (sql_select.cc:2152)

==26747==    by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)

==26747==    by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)

==26747==    by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)

==26747==    by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)

==26747==    by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)

==26747==    by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)

==26747==    by 0x689BDF: do_command(THD*) (sql_parse.cc:923)

==26747==    by 0x68663A: handle_one_connection (sql_connect.cc:1231)

==26747==    by 0x548DE99: start_thread (pthread_create.c:308)

==26747==    by 0x5F9ACBC: clone (clone.S:112)

3410:String *Item_func_uncompress::val_str(String *str)

3411:{

3412:  DBUG_ASSERT(fixed == 1);

3413:  String *res= args[0]->val_str(str);

3414:  ulong new_size;

3415:  int err;

3416:  uint code;

3417:

3418:  if (!res)

3419:    goto err;

3420:  null_value= 0;

3421:  if (res->is_empty())

3422:    return res;

3423:

3424:  /* If length is less than 4 bytes, data is corrupt */

3425:  if (res->length() <= 4)

3426:  {

3427:    push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,

3428:                   ER_ZLIB_Z_DATA_ERROR,

3429:                   ER(ER_ZLIB_Z_DATA_ERROR));

3430:    goto err;

3431:  }

3432:

3433:  /* Size of uncompressed data is stored as first 4 bytes of field */

3434:  new_size= uint4korr(res->ptr()) & 0x3FFFFFFF;

3435:  if (new_size > current_thd->variables.max_allowed_packet)

3436:  {

3437:    push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,

3438:                   ER_TOO_BIG_FOR_UNCOMPRESS,

3439:                   ER(ER_TOO_BIG_FOR_UNCOMPRESS),

3440:                        static_cast<int>(current_thd->variables.

3441:                                         max_allowed_packet));

3442:    goto err;

3443:  }

3444:  if (buffer.realloc((uint32)new_size))

3445:    goto err;

3446:

3447:  if ((err= uncompress((Byte*)buffer.ptr(), &new_size,

3448:                  ((const Bytef*)res->ptr())+4,res->length())) == Z_OK)

3449:  {

3450:    buffer.length((uint32) new_size);

3451:    return &buffer;

3452:  }

3453:3453:

3454:  code= ((err == Z_BUF_ERROR) ? ER_ZLIB_Z_BUF_ERROR :

3455:    ((err == Z_MEM_ERROR) ? ER_ZLIB_Z_MEM_ERROR : ER_ZLIB_Z_DATA_ERROR));

3456:  push_warning(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,code,ER(code));

3457:

3458:err:

3459:  null_value= 1;

3460:  return 0;

3461:}

bzr version-info

revision-id: psergey@askmonty.org-20130505013255-oyp1f1cscm7z8bx8

revno: 3656

branch-nick: 5.3

Attachments

Issue Links

links to

Bug #69202 - Valgrind warnings in inflate on UNCOMPRESS

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2013-05-11 20:42

Updated:: 2014-12-01 13:18

Resolved:: 2014-11-19 08:58

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.