Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.0.2, 5.5.31, 5.3.12, 5.5(EOL), 10.0(EOL)
Description
Also reproducible on MySQL 5.5, 5.6, 5.7 and filed as http://bugs.mysql.com/bug.php?id=69202
SELECT UNCOMPRESS( CAST( 0 AS BINARY(5) ) ); |
==26747== Thread 4:
|
==26747== Conditional jump or move depends on uninitialised value(s)
|
==26747== at 0x4E3BF0C: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
|
==26747== by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
|
==26747== by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)
|
==26747== by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)
|
==26747== by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)
|
==26747== by 0x711486: JOIN::exec() (sql_select.cc:2152)
|
==26747== by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
|
==26747== by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
|
==26747== by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
|
==26747== by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)
|
==26747== by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
|
==26747== by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
|
==26747== by 0x689BDF: do_command(THD*) (sql_parse.cc:923)
|
==26747== by 0x68663A: handle_one_connection (sql_connect.cc:1231)
|
==26747== by 0x548DE99: start_thread (pthread_create.c:308)
|
==26747== by 0x5F9ACBC: clone (clone.S:112)
|
==26747== Conditional jump or move depends on uninitialised value(s)
|
==26747== at 0x4E3BF79: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
|
==26747== by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
|
==26747== by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)
|
==26747== by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)
|
==26747== by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)
|
==26747== by 0x711486: JOIN::exec() (sql_select.cc:2152)
|
==26747== by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
|
==26747== by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
|
==26747== by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
|
==26747== by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)
|
==26747== by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
|
==26747== by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
|
==26747== by 0x689BDF: do_command(THD*) (sql_parse.cc:923)
|
==26747== by 0x68663A: handle_one_connection (sql_connect.cc:1231)
|
==26747== by 0x548DE99: start_thread (pthread_create.c:308)
|
==26747== by 0x5F9ACBC: clone (clone.S:112)
|
3410:String *Item_func_uncompress::val_str(String *str)
|
3411:{
|
3412: DBUG_ASSERT(fixed == 1);
|
3413: String *res= args[0]->val_str(str);
|
3414: ulong new_size;
|
3415: int err;
|
3416: uint code;
|
3417:
|
3418: if (!res)
|
3419: goto err;
|
3420: null_value= 0;
|
3421: if (res->is_empty())
|
3422: return res;
|
3423:
|
3424: /* If length is less than 4 bytes, data is corrupt */
|
3425: if (res->length() <= 4)
|
3426: {
|
3427: push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,
|
3428: ER_ZLIB_Z_DATA_ERROR,
|
3429: ER(ER_ZLIB_Z_DATA_ERROR));
|
3430: goto err;
|
3431: }
|
3432:
|
3433: /* Size of uncompressed data is stored as first 4 bytes of field */
|
3434: new_size= uint4korr(res->ptr()) & 0x3FFFFFFF;
|
3435: if (new_size > current_thd->variables.max_allowed_packet)
|
3436: {
|
3437: push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,
|
3438: ER_TOO_BIG_FOR_UNCOMPRESS,
|
3439: ER(ER_TOO_BIG_FOR_UNCOMPRESS),
|
3440: static_cast<int>(current_thd->variables.
|
3441: max_allowed_packet));
|
3442: goto err;
|
3443: }
|
3444: if (buffer.realloc((uint32)new_size))
|
3445: goto err;
|
3446:
|
3447: if ((err= uncompress((Byte*)buffer.ptr(), &new_size,
|
3448: ((const Bytef*)res->ptr())+4,res->length())) == Z_OK)
|
3449: {
|
3450: buffer.length((uint32) new_size);
|
3451: return &buffer;
|
3452: }
|
3453:3453:
|
3454: code= ((err == Z_BUF_ERROR) ? ER_ZLIB_Z_BUF_ERROR :
|
3455: ((err == Z_MEM_ERROR) ? ER_ZLIB_Z_MEM_ERROR : ER_ZLIB_Z_DATA_ERROR));
|
3456: push_warning(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,code,ER(code));
|
3457:
|
3458:err:
|
3459: null_value= 1;
|
3460: return 0;
|
3461:}
|
bzr version-info
revision-id: psergey@askmonty.org-20130505013255-oyp1f1cscm7z8bx8
|
revno: 3656
|
branch-nick: 5.3
|