Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-4513

Valgrind warnings (Conditional jump or move depends on uninitialised value) in inflate on UNCOMPRESS

Details

    Description

      Also reproducible on MySQL 5.5, 5.6, 5.7 and filed as http://bugs.mysql.com/bug.php?id=69202

      SELECT UNCOMPRESS( CAST( 0 AS BINARY(5) ) );

      ==26747== Thread 4:
      ==26747== Conditional jump or move depends on uninitialised value(s)
      ==26747==    at 0x4E3BF0C: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
      ==26747==    by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
      ==26747==    by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)
      ==26747==    by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)
      ==26747==    by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)
      ==26747==    by 0x711486: JOIN::exec() (sql_select.cc:2152)
      ==26747==    by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
      ==26747==    by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
      ==26747==    by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
      ==26747==    by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)
      ==26747==    by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
      ==26747==    by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
      ==26747==    by 0x689BDF: do_command(THD*) (sql_parse.cc:923)
      ==26747==    by 0x68663A: handle_one_connection (sql_connect.cc:1231)
      ==26747==    by 0x548DE99: start_thread (pthread_create.c:308)
      ==26747==    by 0x5F9ACBC: clone (clone.S:112)
      ==26747== Conditional jump or move depends on uninitialised value(s)
      ==26747==    at 0x4E3BF79: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
      ==26747==    by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
      ==26747==    by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)
      ==26747==    by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)
      ==26747==    by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)
      ==26747==    by 0x711486: JOIN::exec() (sql_select.cc:2152)
      ==26747==    by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
      ==26747==    by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
      ==26747==    by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
      ==26747==    by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)
      ==26747==    by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
      ==26747==    by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
      ==26747==    by 0x689BDF: do_command(THD*) (sql_parse.cc:923)
      ==26747==    by 0x68663A: handle_one_connection (sql_connect.cc:1231)
      ==26747==    by 0x548DE99: start_thread (pthread_create.c:308)
      ==26747==    by 0x5F9ACBC: clone (clone.S:112)

      3410:String *Item_func_uncompress::val_str(String *str)
      3411:{
      3412:  DBUG_ASSERT(fixed == 1);
      3413:  String *res= args[0]->val_str(str);
      3414:  ulong new_size;
      3415:  int err;
      3416:  uint code;
      3417:
      3418:  if (!res)
      3419:    goto err;
      3420:  null_value= 0;
      3421:  if (res->is_empty())
      3422:    return res;
      3423:
      3424:  /* If length is less than 4 bytes, data is corrupt */
      3425:  if (res->length() <= 4)
      3426:  {
      3427:    push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,
      3428:                   ER_ZLIB_Z_DATA_ERROR,
      3429:                   ER(ER_ZLIB_Z_DATA_ERROR));
      3430:    goto err;
      3431:  }
      3432:
      3433:  /* Size of uncompressed data is stored as first 4 bytes of field */
      3434:  new_size= uint4korr(res->ptr()) & 0x3FFFFFFF;
      3435:  if (new_size > current_thd->variables.max_allowed_packet)
      3436:  {
      3437:    push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,
      3438:                   ER_TOO_BIG_FOR_UNCOMPRESS,
      3439:                   ER(ER_TOO_BIG_FOR_UNCOMPRESS),
      3440:                        static_cast<int>(current_thd->variables.
      3441:                                         max_allowed_packet));
      3442:    goto err;
      3443:  }
      3444:  if (buffer.realloc((uint32)new_size))
      3445:    goto err;
      3446:
      3447:  if ((err= uncompress((Byte*)buffer.ptr(), &new_size,
      3448:                  ((const Bytef*)res->ptr())+4,res->length())) == Z_OK)
      3449:  {
      3450:    buffer.length((uint32) new_size);
      3451:    return &buffer;
      3452:  }
      3453:3453:
      3454:  code= ((err == Z_BUF_ERROR) ? ER_ZLIB_Z_BUF_ERROR :
      3455:    ((err == Z_MEM_ERROR) ? ER_ZLIB_Z_MEM_ERROR : ER_ZLIB_Z_DATA_ERROR));
      3456:  push_warning(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,code,ER(code));
      3457:
      3458:err:
      3459:  null_value= 1;
      3460:  return 0;
      3461:}

      bzr version-info

      revision-id: psergey@askmonty.org-20130505013255-oyp1f1cscm7z8bx8
      revno: 3656
      branch-nick: 5.3

      Attachments

        Activity

          Still reproducible on the current 10.0 tree (revno 4471).

          Upstream fix in 5.7.5:

          revno: 8002
          revision-id: tor.didriksen@oracle.com-20140513113847-4ibrwic6moadne9v
          parent: anitha.gopi@oracle.com-20140513113110-zaw6h206p2tn93bx
          committer: Tor Didriksen <tor.didriksen@oracle.com>
          branch nick: trunk-valgrind
          timestamp: Tue 2014-05-13 13:38:47 +0200
          message:
            Bug#18693654 VALGRIND WARNINGS IN INFLATE ON UNCOMPRESS
            
            The value of the sourceLen argument to uncompress() was wrong,
            and we got valgrind warnings when trying to verify the zip header of the compressed data.

          elenst Elena Stepanova added a comment - Still reproducible on the current 10.0 tree (revno 4471). Upstream fix in 5.7.5: revno: 8002 revision-id: tor.didriksen@oracle.com-20140513113847-4ibrwic6moadne9v parent: anitha.gopi@oracle.com-20140513113110-zaw6h206p2tn93bx committer: Tor Didriksen <tor.didriksen@oracle.com> branch nick: trunk-valgrind timestamp: Tue 2014-05-13 13:38:47 +0200 message: Bug#18693654 VALGRIND WARNINGS IN INFLATE ON UNCOMPRESS The value of the sourceLen argument to uncompress() was wrong, and we got valgrind warnings when trying to verify the zip header of the compressed data.

          People

            serg Sergei Golubchik
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.