Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5.43, 5.5.48, 10.0.23, 10.1.9, 10.1.11
-
None
-
Debian 8 (amd64)
-
10.1.13
Description
Running mysqlcheck (or mysqlanalyze / mysqloptimize / mysqlrepair) with a database name and the name of a nonexistent table leads to a crash:
$ mysqlcheck test doesntexist
|
Failed to SHOW CREATE TABLE `doesntexist`
|
Error: Table 'test.doesntexist' doesn't exist
|
*** Error in `mysqlcheck': free(): invalid pointer: 0x00007ffff23b0348 ***
|
Aborted
|
GDB session on current git HEAD:
Reading symbols from client/mysqlcheck...done.
|
(gdb) run
|
Starting program: /tmp/server/build/client/mysqlcheck test doesntexist
|
[Thread debugging using libthread_db enabled]
|
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".Failed to SHOW CREATE TABLE `doesntexist`
|
Error: Table 'test.doesntexist' doesn't exist
|
*** Error in `/tmp/server/build/client/mysqlcheck': free(): invalid pointer: 0x00007fffffffdef8 ***
|
|
|
|
|
Program received signal SIGABRT, Aborted.
|
0x00007ffff6e23067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
|
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
|
(gdb) bt
|
#0 0x00007ffff6e23067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
|
#1 0x00007ffff6e24448 in __GI_abort () at abort.c:89
|
#2 0x00007ffff6e611b4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6f56820 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
|
#3 0x00007ffff6e6698e in malloc_printerr (action=1, str=0x7ffff6f528de "free(): invalid pointer", ptr=<optimized out>) at malloc.c:4996
|
#4 0x00007ffff6e67696 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
|
#5 0x00005555555760af in is_view (table=<optimized out>) at /tmp/server/client/mysqlcheck.c:526
|
#6 0x00005555555758e7 in process_selected_tables (tables=<optimized out>, table_names=0x555555b08208, db=<optimized out>) at /tmp/server/client/mysqlcheck.c:589
|
#7 main (argc=2, argv=0x555555b08200) at /tmp/server/client/mysqlcheck.c:1207
|
(gdb) frame 5
|
#5 0x00005555555760af in is_view (table=<optimized out>) at /tmp/lol/server/client/mysqlcheck.c:526
|
(gdb) p query
|
$1 = "SHOW CREATE TABLE `doesntexist`\000\227\371\260UUU\000\000\332\371\260UUU\000\000y\201\260UUU\000\000\313\025XUUU\000\000\000\000\000\000\000\000\000\000\b\203\260UUU\000\000-!`UUU\000\000\257\371\260UUU\000
|
\000\352\f\000\000\034\000\000\000\020\346\257UUU\000\000\t\000\000\000\000\000\000\000 \000\000\000\025\000\000\000\020\377\273\367\377\177\000\000\250\025\274\367\377\177\000\000\300\340\377\377\377\177\000\000\
|
036s#\003\000\000\000\000\260\340\377\377\377\177\000\000\260UUU", '\000' <repeats 18 times>, "\001\000/var/ru"...
|
The my_free(query); call in server/client/mysqlcheck.c:526 fails since commit 6f17e233 when query was moved to the stack. With the attached patch, the crash does not occur anymore.
Thanks for the report.
The problem appeared in 5.5 tree with this commit:
commit 6f17e233bf7f4de20dda8fb31f63aa52452c4e0aAuthor: Sergei Golubchik <serg@mariadb.org>Date: Tue Apr 28 21:24:32 2015 +0200post-merge fixes