[MDEV-5655] Server crashes on NAME_CONST containing AND/OR expressions - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 5.1.67, 5.2.14, 5.3.12, 5.5.35, 10.0.8
Fix Version/s: 5.5.36, 10.0.9, 5.1.73, 5.2.15, 5.3.13
Component/s: None
Labels:
None

Description

SELECT NAME_CONST('a', -(1 OR 2)) OR 1;

SELECT NAME_CONST('a', -(1 AND 2)) AND 1;

See the following revision in mysql/5.6 tree:

                    ------------------------------------------------------------

                    revno: 2876.473.1

                    revision-id: magne.mahre@oracle.com-20110915075714-zzyzvrmfnna2ro42

                    parent: kristofer.pettersson@oracle.com-20110906074433-13s7zt1k7rj8gff5

                    committer: Magne Mahre <magne.mahre@oracle.com>

                    branch nick: mysql-trunk-security

                    timestamp: Thu 2011-09-15 09:57:14 +0200

                    message:

                      Bug#12735545 - PARSER STACK OVERFLOW WITH NAME_CONST CONTAINING

                                     OR EXPRESSION

                      Using NAME_CONST with a non-constant negated expression as

                      value could cause a server crash.

                      The issue was solved by added a more strict test on the

                      value argument when constructing the Item_name_const

                      object, verifying that the argument is indeed a literal

                      constant.

                ------------------------------------------------------------

Stack trace in 10.0:

#7  0x0000000000f0787f in __cxa_pure_virtual () at 10.0/mysys/my_new.cc:74

#8  0x00000000008948e5 in Item_cond::fix_fields (this=0x7f13244e06b8, thd=0x7f132733d070, ref=0x7f13244e07f0) at 10.0/sql/item_cmpfunc.cc:4337

#9  0x000000000061780a in setup_fields (thd=0x7f132733d070, ref_pointer_array=0x7f13244e0e48, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f13244e0c48, allow_sum_func=true) at 10.0/sql/sql_base.cc:7723

#10 0x00000000006a036e in JOIN::prepare (this=0x7f13244e0910, rref_pointer_array=0x7f13273416a0, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1327341428, unit_arg=0x7f1327340d48) at 10.0/sql/sql_select.cc:775

#11 0x00000000006a8f81 in mysql_select (thd=0x7f132733d070, rref_pointer_array=0x7f13273416a0, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f13244e08f0, unit=0x7f1327340d48, select_lex=0x7f1327341428) at 10.0/sql/sql_select.cc:3270

#12 0x000000000069f78b in handle_select (thd=0x7f132733d070, lex=0x7f1327340c88, result=0x7f13244e08f0, setup_tables_done_option=0) at 10.0/sql/sql_select.cc:372

#13 0x0000000000674811 in execute_sqlcom_select (thd=0x7f132733d070, all_tables=0x0) at 10.0/sql/sql_parse.cc:5301

#14 0x000000000066cbbc in mysql_execute_command (thd=0x7f132733d070) at 10.0/sql/sql_parse.cc:2587

#15 0x0000000000676f9b in mysql_parse (thd=0x7f132733d070, rawbuf=0x7f13244e0088 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", length=40, parser_state=0x7f132ec06630) at 10.0/sql/sql_parse.cc:6447

#16 0x0000000000669d69 in dispatch_command (command=COM_QUERY, thd=0x7f132733d070, packet=0x7f1327333071 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", packet_length=40) at 10.0/sql/sql_parse.cc:1308

#17 0x000000000066910b in do_command (thd=0x7f132733d070) at 10.0/sql/sql_parse.cc:1005

#18 0x0000000000783371 in do_handle_one_connection (thd_arg=0x7f132733d070) at 10.0/sql/sql_connect.cc:1379

#19 0x00000000007830c4 in handle_one_connection (arg=0x7f132733d070) at 10.0/sql/sql_connect.cc:1293

#20 0x0000000000aab665 in pfs_spawn_thread (arg=0x7f132665c090) at 10.0/storage/perfschema/pfs.cc:1853

#21 0x00007f132e954b50 in start_thread (arg=<optimized out>) at pthread_create.c:304

#22 0x00007f132d4a3a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Stack trace in 5.1:

#4  0x0000000000000000 in ?? ()

#5  0x00000000006f20d5 in is_cond_and (item=0x2da7990) at item_cmpfunc.h:1705

#6  0x00000000006dba31 in MYSQLparse (yythd=0x2d19608) at sql_yacc.yy:6975

#7  0x00000000006bd691 in parse_sql (thd=0x2d19608, parser_state=0x7f4afc050710, creation_ctx=0x0) at sql_parse.cc:8165

#8  0x00000000006b942e in mysql_parse (thd=0x2d19608, rawbuf=0x2da74b0 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", length=40, found_semicolon=0x7f4afc050ca0) at sql_parse.cc:6182

#9  0x00000000006ab9bd in dispatch_command (command=COM_QUERY, thd=0x2d19608, packet=0x2d869b9 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", packet_length=40) at sql_parse.cc:1294

#10 0x00000000006aa951 in do_command (thd=0x2d19608) at sql_parse.cc:906

#11 0x00000000006a78e6 in handle_one_connection (arg=0x2d19608) at sql_connect.cc:1238

#12 0x00007f4b050adb50 in start_thread (arg=<optimized out>) at pthread_create.c:304

#13 0x00007f4b04df7a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Attachments

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2014-02-11 21:32

Updated:: 2014-02-14 10:13

Resolved:: 2014-02-14 10:13

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.