Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.0.2, 5.5.31, 5.3.12, 5.5(EOL), 10.0(EOL)
Description
Also reproducible on MySQL 5.5, 5.6, 5.7 and filed as http://bugs.mysql.com/bug.php?id=69202
SELECT UNCOMPRESS( CAST( 0 AS BINARY(5) ) ); |
==26747== Thread 4:
|
==26747== Conditional jump or move depends on uninitialised value(s)
|
==26747== at 0x4E3BF0C: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
|
==26747== by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
|
==26747== by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)
|
==26747== by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)
|
==26747== by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)
|
==26747== by 0x711486: JOIN::exec() (sql_select.cc:2152)
|
==26747== by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
|
==26747== by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
|
==26747== by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
|
==26747== by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)
|
==26747== by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
|
==26747== by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
|
==26747== by 0x689BDF: do_command(THD*) (sql_parse.cc:923)
|
==26747== by 0x68663A: handle_one_connection (sql_connect.cc:1231)
|
==26747== by 0x548DE99: start_thread (pthread_create.c:308)
|
==26747== by 0x5F9ACBC: clone (clone.S:112)
|
==26747== Conditional jump or move depends on uninitialised value(s)
|
==26747== at 0x4E3BF79: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
|
==26747== by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
|
==26747== by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)
|
==26747== by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)
|
==26747== by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)
|
==26747== by 0x711486: JOIN::exec() (sql_select.cc:2152)
|
==26747== by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
|
==26747== by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
|
==26747== by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
|
==26747== by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)
|
==26747== by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
|
==26747== by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
|
==26747== by 0x689BDF: do_command(THD*) (sql_parse.cc:923)
|
==26747== by 0x68663A: handle_one_connection (sql_connect.cc:1231)
|
==26747== by 0x548DE99: start_thread (pthread_create.c:308)
|
==26747== by 0x5F9ACBC: clone (clone.S:112)
|
3410:String *Item_func_uncompress::val_str(String *str)
|
3411:{
|
3412: DBUG_ASSERT(fixed == 1);
|
3413: String *res= args[0]->val_str(str);
|
3414: ulong new_size;
|
3415: int err;
|
3416: uint code;
|
3417:
|
3418: if (!res)
|
3419: goto err;
|
3420: null_value= 0;
|
3421: if (res->is_empty())
|
3422: return res;
|
3423:
|
3424: /* If length is less than 4 bytes, data is corrupt */
|
3425: if (res->length() <= 4)
|
3426: {
|
3427: push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,
|
3428: ER_ZLIB_Z_DATA_ERROR,
|
3429: ER(ER_ZLIB_Z_DATA_ERROR));
|
3430: goto err;
|
3431: }
|
3432:
|
3433: /* Size of uncompressed data is stored as first 4 bytes of field */
|
3434: new_size= uint4korr(res->ptr()) & 0x3FFFFFFF;
|
3435: if (new_size > current_thd->variables.max_allowed_packet)
|
3436: {
|
3437: push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,
|
3438: ER_TOO_BIG_FOR_UNCOMPRESS,
|
3439: ER(ER_TOO_BIG_FOR_UNCOMPRESS),
|
3440: static_cast<int>(current_thd->variables.
|
3441: max_allowed_packet));
|
3442: goto err;
|
3443: }
|
3444: if (buffer.realloc((uint32)new_size))
|
3445: goto err;
|
3446:
|
3447: if ((err= uncompress((Byte*)buffer.ptr(), &new_size,
|
3448: ((const Bytef*)res->ptr())+4,res->length())) == Z_OK)
|
3449: {
|
3450: buffer.length((uint32) new_size);
|
3451: return &buffer;
|
3452: }
|
3453:3453:
|
3454: code= ((err == Z_BUF_ERROR) ? ER_ZLIB_Z_BUF_ERROR :
|
3455: ((err == Z_MEM_ERROR) ? ER_ZLIB_Z_MEM_ERROR : ER_ZLIB_Z_DATA_ERROR));
|
3456: push_warning(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,code,ER(code));
|
3457:
|
3458:err:
|
3459: null_value= 1;
|
3460: return 0;
|
3461:}
|
bzr version-info
revision-id: psergey@askmonty.org-20130505013255-oyp1f1cscm7z8bx8
|
revno: 3656
|
branch-nick: 5.3
|
Still reproducible on the current 10.0 tree (revno 4471).
Upstream fix in 5.7.5:
revno: 8002
revision-id: tor.didriksen@oracle.com-20140513113847-4ibrwic6moadne9v
parent: anitha.gopi@oracle.com-20140513113110-zaw6h206p2tn93bx
committer: Tor Didriksen <tor.didriksen@oracle.com>
branch nick: trunk-valgrind
timestamp: Tue 2014-05-13 13:38:47 +0200
message:
Bug#18693654 VALGRIND WARNINGS IN INFLATE ON UNCOMPRESS
The value of the sourceLen argument to uncompress() was wrong,
and we got valgrind warnings when trying to verify the zip header of the compressed data.