Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5.43, 5.5.48, 10.0.23, 10.1.9, 10.1.11
-
None
-
Debian 8 (amd64)
-
10.1.13
Description
Running mysqlcheck (or mysqlanalyze / mysqloptimize / mysqlrepair) with a database name and the name of a nonexistent table leads to a crash:
$ mysqlcheck test doesntexist
|
Failed to SHOW CREATE TABLE `doesntexist`
|
Error: Table 'test.doesntexist' doesn't exist
|
*** Error in `mysqlcheck': free(): invalid pointer: 0x00007ffff23b0348 ***
|
Aborted
|
GDB session on current git HEAD:
Reading symbols from client/mysqlcheck...done.
|
(gdb) run
|
Starting program: /tmp/server/build/client/mysqlcheck test doesntexist
|
[Thread debugging using libthread_db enabled]
|
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".Failed to SHOW CREATE TABLE `doesntexist`
|
Error: Table 'test.doesntexist' doesn't exist
|
*** Error in `/tmp/server/build/client/mysqlcheck': free(): invalid pointer: 0x00007fffffffdef8 ***
|
|
|
|
|
Program received signal SIGABRT, Aborted.
|
0x00007ffff6e23067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
|
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
|
(gdb) bt
|
#0 0x00007ffff6e23067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
|
#1 0x00007ffff6e24448 in __GI_abort () at abort.c:89
|
#2 0x00007ffff6e611b4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6f56820 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
|
#3 0x00007ffff6e6698e in malloc_printerr (action=1, str=0x7ffff6f528de "free(): invalid pointer", ptr=<optimized out>) at malloc.c:4996
|
#4 0x00007ffff6e67696 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
|
#5 0x00005555555760af in is_view (table=<optimized out>) at /tmp/server/client/mysqlcheck.c:526
|
#6 0x00005555555758e7 in process_selected_tables (tables=<optimized out>, table_names=0x555555b08208, db=<optimized out>) at /tmp/server/client/mysqlcheck.c:589
|
#7 main (argc=2, argv=0x555555b08200) at /tmp/server/client/mysqlcheck.c:1207
|
(gdb) frame 5
|
#5 0x00005555555760af in is_view (table=<optimized out>) at /tmp/lol/server/client/mysqlcheck.c:526
|
(gdb) p query
|
$1 = "SHOW CREATE TABLE `doesntexist`\000\227\371\260UUU\000\000\332\371\260UUU\000\000y\201\260UUU\000\000\313\025XUUU\000\000\000\000\000\000\000\000\000\000\b\203\260UUU\000\000-!`UUU\000\000\257\371\260UUU\000
|
\000\352\f\000\000\034\000\000\000\020\346\257UUU\000\000\t\000\000\000\000\000\000\000 \000\000\000\025\000\000\000\020\377\273\367\377\177\000\000\250\025\274\367\377\177\000\000\300\340\377\377\377\177\000\000\
|
036s#\003\000\000\000\000\260\340\377\377\377\177\000\000\260UUU", '\000' <repeats 18 times>, "\001\000/var/ru"...
|
The my_free(query); call in server/client/mysqlcheck.c:526 fails since commit 6f17e233 when query was moved to the stack. With the attached patch, the crash does not occur anymore.