[CONC-64] double free or corruption in unpack_fields Created: 2013-12-27  Updated: 2014-12-19  Resolved: 2014-12-19

Status: Closed
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: None
Fix Version/s: 2.0.0

Type: Bug Priority: Major
Reporter: Patrick Schlangen Assignee: Georg Richter
Resolution: Fixed Votes: 0
Labels: None
Environment:

openSUSE 11.1 x86_64, connecting to mysqld Ver 5.0.67 for suse-linux-gnu on x86_64 (SUSE MySQL RPM)

Attachments: Text File mariadb.log    

 Description   

After executing a certain query, libmariadb crashes with a double free or corruption error detected by glibc.

glibc detected  : double free or corruption (!prev): 0x00000000005990e0

Backtrace:

(gdb) bt
 
#0  0x00007ffff6595645 in raise () from /lib64/libc.so.6
 
#1  0x00007ffff6596c33 in abort () from /lib64/libc.so.6
 
#2  0x00007ffff65d18e8 in ?? () from /lib64/libc.so.6
 
#3  0x00007ffff65d7118 in ?? () from /lib64/libc.so.6
 
#4  0x00007ffff65d8c76 in free () from /lib64/libc.so.6
 
#5  0x00007ffff76950f5 in free_root () from /opt/b1gmailserver/libs/libmariadb.so.1
 
#6  0x00007ffff768fc44 in free_rows () from /opt/b1gmailserver/libs/libmariadb.so.1
 
#7  0x00007ffff769078e in unpack_fields () from /opt/b1gmailserver/libs/libmariadb.so.1
 
#8  0x00007ffff7691634 in mthd_my_read_query_result () from /opt/b1gmailserver/libs/libmariadb.so.1
 
#9  0x00000000004423e2 in Core::MySQL_DB::Query(char const*, ...) ()
 
#10 0x000000000041aac1 in Core::Config::ReadDBConfig() ()
 
#11 0x000000000043461d in main ()

Tested with r 107. Issue seems to occur when connecting to certain MySQL versions or configurations only.

I assume that more information is required to investigate this issue, but don't know which. Please let me know if further information is required.

 Comments   
Comment by Patrick Schlangen [ 2013-12-27 ]

Just out of curiosity, I've changed the 8192 bytes buffer length in libmariadb.c (lines 614 and 1182) to 8192*2 bytes. This fixes the issue for me.

Comment by Georg Richter [ 2014-01-03 ]

Hi Patrick,

thank you for your bug report.

Some more information would be helpful: Could you please build a debug version (-DCMAKE_BUILD_TYPE=Debug) and produce a debug log (export MYSQL_DEBUG=d:t:O,/path_to/debug.log) and attach the log file to this report?

Thanks!

Comment by Patrick Schlangen [ 2014-01-06 ]

Hi Georg,

thanks for your reply. I've attached the log.
I know that the query in line 252 is suboptimal and that the involved table has too many fields, but I believe this should not lead to a crash.
Please let me know if you need more information.

Best Regards

Patrick

Comment by Brad House (Inactive) [ 2014-04-30 ]

Actually, I think I saw this crash too which led me to investigate further with valgrind, can you try the patch I created in CONC-92? I have a feeling the issue is one and the same.

Comment by Georg Richter [ 2014-12-19 ]

This bug was fixed in rev. 141 (see CONC-92)

Generated at Thu Feb 08 03:02:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.