[CONC-334] mysql_stmt_result_metadata() returns uninitialized memory and cause SEGFAULT Created: 2018-05-28  Updated: 2018-06-14  Resolved: 2018-06-05

Status: Closed
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: 2.3.5, 3.0.4
Fix Version/s: 2.3.6, 3.0.5

Type: Bug Priority: Critical
Reporter: Pali Assignee: Georg Richter
Resolution: Fixed Votes: 0
Labels: None

Attachments: File test-length.c    

 Description   

Values name_length and table_length from mysql_fetch_field() returned by mysql_stmt_result_metadata() are sometime zero and sometimes uninitialized.

Running application under valgrind resulted that reading name_length or table_length caused either "Use of uninitialised value of size 8" or "Conditional jump or move depends on uninitialised value(s)".

This defect in MariaDB was found when developing Perl DBI driver DBD::MariaDB: http://github.com/gooddata/DBD-MariaDB. And is causing SEGFAULT of perl process when trying to use name_length from mysql_fetch_field().

All versions of MariaDB 10.3 series are affected. Affected is also MariaDB 10.2 series since version 10.2.4. 10.2.3 and older works fine. Also all versions in MariaDB 5.5 series work fine.

And affected are also all MariaDB Connector/C versions in 2.3 and 3.0 series.

Simple C application for reproducing this problem is in the attachment. Compile it with:
$ gcc test-length.c -o test-length `mysql_config --cflags --libs`

Output for MariaDB 10.2.4 (affected):

$ valgrind ./test-length 127.0.0.1 0 pali pali
 
==19697== Memcheck, a memory error detector
 
==19697== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
 
==19697== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
 
==19697== Command: ./test-length 127.0.0.1 0 pali pali
 
==19697== 
==19697== Use of uninitialised value of size 8
 
==19697==    at 0x50BF19B: _itoa_word (_itoa.c:179)
 
==19697==    by 0x50C3899: vfprintf (vfprintf.c:1636)
 
==19697==    by 0x50CA228: printf (printf.c:33)
 
==19697==    by 0x108E5A: main (in test-length)
 
==19697== 
==19697== Conditional jump or move depends on uninitialised value(s)
 
==19697==    at 0x50BF1A5: _itoa_word (_itoa.c:179)
 
==19697==    by 0x50C3899: vfprintf (vfprintf.c:1636)
 
==19697==    by 0x50CA228: printf (printf.c:33)
 
==19697==    by 0x108E5A: main (in test-length)
 
==19697== 
==19697== Conditional jump or move depends on uninitialised value(s)
 
==19697==    at 0x50C39A1: vfprintf (vfprintf.c:1636)
 
==19697==    by 0x50CA228: printf (printf.c:33)
 
==19697==    by 0x108E5A: main (in test-length)
 
==19697== 
==19697== Conditional jump or move depends on uninitialised value(s)
 
==19697==    at 0x50C2861: vfprintf (vfprintf.c:1636)
 
==19697==    by 0x50CA228: printf (printf.c:33)
 
==19697==    by 0x108E5A: main (in test-length)
 
==19697== 
==19697== Conditional jump or move depends on uninitialised value(s)
 
==19697==    at 0x50C28E2: vfprintf (vfprintf.c:1636)
 
==19697==    by 0x50CA228: printf (printf.c:33)
 
==19697==    by 0x108E5A: main (in test-length)
 
==19697== 
field: name=Engine name_length=0 table=ENGINES table_length=0
 
field: name=Support name_length=0 table=ENGINES table_length=0
 
field: name=Comment name_length=0 table=ENGINES table_length=0
 
field: name=Transactions name_length=0 table=ENGINES table_length=0
 
field: name=XA name_length=0 table=ENGINES table_length=0
 
field: name=Savepoints name_length=0 table=ENGINES table_length=0
 
==19697== 
==19697== HEAP SUMMARY:
 
==19697==     in use at exit: 0 bytes in 0 blocks
 
==19697==   total heap usage: 82 allocs, 82 frees, 79,277 bytes allocated
 
==19697== 
==19697== All heap blocks were freed -- no leaks are possible
 
==19697== 
==19697== For counts of detected and suppressed errors, rerun with: -v
 
==19697== Use --track-origins=yes to see where uninitialised values come from
 
==19697== ERROR SUMMARY: 60 errors from 5 contexts (suppressed: 0 from 0)

According to documentation name_length should be length of name (strlen), not zero or uninitialised value.

Output for MariaDB 10.2.3 (not affected)

$ valgrind ./test-length 127.0.0.1 0 pali pali
 
==11107== Memcheck, a memory error detector
 
==11107== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
 
==11107== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
 
==11107== Command: ./test-length 127.0.0.1 0 pali pali
 
==11107== 
field: name=Engine name_length=6 table=ENGINES table_length=7
 
field: name=Support name_length=7 table=ENGINES table_length=7
 
field: name=Comment name_length=7 table=ENGINES table_length=7
 
field: name=Transactions name_length=12 table=ENGINES table_length=7
 
field: name=XA name_length=2 table=ENGINES table_length=7
 
field: name=Savepoints name_length=10 table=ENGINES table_length=7
 
==11107== 
==11107== HEAP SUMMARY:
 
==11107==     in use at exit: 0 bytes in 0 blocks
 
==11107==   total heap usage: 100 allocs, 100 frees, 248,721 bytes allocated
 
==11107== 
==11107== All heap blocks were freed -- no leaks are possible
 
==11107== 
==11107== For counts of detected and suppressed errors, rerun with: -v
 
==11107== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Here with older version it is correct.

Note that MySQL 5.5, 5.6, 5.7 and 8.0 do not have this problem. It is MariaDB-only.

This problems makes implementation of DBD::MariaDB perl driver problematic.

 Comments   
Comment by Pali [ 2018-05-28 ]

As a workaround for DBD::MariaDB to prevent crashing I added code which recalculates those length fields:
https://github.com/gooddata/DBD-MariaDB/pull/61

Comment by Pali [ 2018-06-14 ]

Thanks for quick fix. Now I would like to know two things:

In which MariaDB releases will be this problem fixed?

And what is that correct #ifdef way to check in C source code if fixed version of Connector/C (that is 2.3.6 or 3.0.5) is in use?

Comment by Georg Richter [ 2018-06-14 ]

Hi Pali,

you need to check MARIADB_PACKAGE_VERSION_ID, which is defined in mariadb_version.h include file.

Generated at Thu Feb 08 03:04:34 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.