[MDEV-23558] Galera heap-buffer-overflow at wsrep_schema.cc:1067 Created: 2020-08-24  Updated: 2020-10-06  Resolved: 2020-08-25

Status: Closed
Project: MariaDB Server
Component/s: Galera
Affects Version/s: 10.4, 10.5
Fix Version/s: 10.4.16, 10.5.7

Type: Bug Priority: Major
Reporter: Jan Lindström (Inactive) Assignee: Jan Lindström (Inactive)
Resolution: Fixed Votes: 0
Labels: None


 Description   
  • How to repeat: ./mtr galera_sr.GCF-1043B 

    ==2610681==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000016658 at pc 0x55f4f9d2d31e bp 0x7f2d2ed24980 sp 0x7f2d2ed24970
    		 
    READ of size 8 at 0x602000016658 thread T36
    		 
        #0 0x55f4f9d2d31d in Wsrep_schema::remove_fragments(THD*, wsrep::id const&, wsrep::transaction_id, std::vector<wsrep::seqno, std::allocator<wsrep::seqno> > const&) /home/jan/mysql/10.4-bugs/sql/wsrep_schema.cc:1067
    		 
        #1 0x55f4f9cd0b38 in Wsrep_client_service::remove_fragments() /home/jan/mysql/10.4-bugs/sql/wsrep_client_service.cc:203
    		 
        #2 0x55f4fb408cbd in wsrep::transaction::before_prepare(wsrep::unique_lock<wsrep::mutex>&) /home/jan/mysql/10.4-bugs/wsrep-lib/src/transaction.cpp:307
    		 
        #3 0x55f4fb40974a in wsrep::transaction::before_commit() /home/jan/mysql/10.4-bugs/wsrep-lib/src/transaction.cpp:438
    		 
        #4 0x55f4f9cdee69 in wsrep::client_state::before_commit() /home/jan/mysql/10.4-bugs/wsrep-lib/include/wsrep/client_state.hpp:472
    		 
        #5 0x55f4f9ef79b8 in wsrep_before_commit /home/jan/mysql/10.4-bugs/sql/wsrep_trans_observer.h:273
    		 
        #6 0x55f4f9f005ef in ha_commit_trans(THD*, bool) /home/jan/mysql/10.4-bugs/sql/handler.cc:1548
    		 
        #7 0x55f4f9b1ff95 in trans_commit_stmt(THD*) /home/jan/mysql/10.4-bugs/sql/transaction.cc:436
    		 
        #8 0x55f4f9719ee2 in mysql_execute_command(THD*) /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:6156
    		 
        #9 0x55f4f97253ed in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:7896
    		 
        #10 0x55f4f9724180 in wsrep_mysql_parse /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:7700
    		 
        #11 0x55f4f96fc358 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:1820
    		 
        #12 0x55f4f96f8f83 in do_command(THD*) /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:1352
    		 
        #13 0x55f4f9ae4b2c in do_handle_one_connection(CONNECT*) /home/jan/mysql/10.4-bugs/sql/sql_connect.cc:1412
    		 
        #14 0x55f4f9ae43d0 in handle_one_connection /home/jan/mysql/10.4-bugs/sql/sql_connect.cc:1316
    		 
        #15 0x55f4fb17c320 in pfs_spawn_thread /home/jan/mysql/10.4-bugs/storage/perfschema/pfs.cc:1869
    		 
        #16 0x7f2d52c2b608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
    		 
        #17 0x7f2d523e9102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)


Generated at Thu Feb 08 09:23:19 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.