--source include/have_innodb.inc

CREATE TABLE t1 (

  pk int auto_increment,

  f char(255),

  primary key (pk),

  fulltext key (f)

) ENGINE=InnoDB CHARACTER SET tis620;

INSERT INTO t1 VALUES (1,'foo'),(2,'bar');

--source include/restart_mysqld.inc

DROP TABLE t1;

==4086435==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f16931c8522 at pc 0x55f2d11ac29b bp 0x7f16931c8430 sp 0x7f16931c8420

WRITE of size 1 at 0x7f16931c8522 thread T15

2021-01-28  0:23:00 139734809470720 [Note] Event Scheduler: Purging the queue. 0 events

    #0 0x55f2d11ac29a in strmake /data/src/10.2/strings/strmake.c:66

    #1 0x55f2d11491dc in my_strnxfrm_tis620 /data/src/10.2/strings/ctype-tis620.c:608

    #2 0x55f2d0411b00 in innobase_strnxfrm(charset_info_st const*, unsigned char const*, unsigned long) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:6794

    #3 0x55f2d0af178b in fts_select_index_by_range /data/src/10.2/storage/innobase/include/fts0types.ic:140

    #4 0x55f2d0af1c63 in fts_select_index /data/src/10.2/storage/innobase/include/fts0types.ic:215

    #5 0x55f2d0b05af6 in fts_sync_write_words /data/src/10.2/storage/innobase/fts/fts0fts.cc:3998

    #6 0x55f2d0b06b13 in fts_sync_index /data/src/10.2/storage/innobase/fts/fts0fts.cc:4107

    #7 0x55f2d0b08224 in fts_sync /data/src/10.2/storage/innobase/fts/fts0fts.cc:4340

    #8 0x55f2d0b08911 in fts_sync_table(dict_table_t*, bool) /data/src/10.2/storage/innobase/fts/fts0fts.cc:4417

    #9 0x55f2d0b2aceb in fts_optimize_sync_table /data/src/10.2/storage/innobase/fts/fts0opt.cc:2773

    #10 0x55f2d0b2b42b in fts_optimize_thread /data/src/10.2/storage/innobase/fts/fts0opt.cc:2893

    #11 0x7f16a2a58608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

    #12 0x7f16a2632292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Address 0x7f16931c8522 is located in stack of thread T15 at offset 34 in frame

    #0 0x55f2d04119be in innobase_strnxfrm(charset_info_st const*, unsigned char const*, unsigned long) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:6786

  This frame has 1 object(s):

    [32, 34) 'mystr' (line 6787) <== Memory access at offset 34 overflows this variable

HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork

      (longjmp and C++ exceptions *are* supported)

Thread T15 created by T0 here:

    #0 0x7f16a2eec805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)

    #1 0x55f2d05dd777 in os_thread_create_func(void* (*)(void*), void*, unsigned long*) /data/src/10.2/storage/innobase/os/os0thread.cc:138

    #2 0x55f2d0b2b9a0 in fts_optimize_init() /data/src/10.2/storage/innobase/fts/fts0opt.cc:2959

    #3 0x55f2d07dbbfb in innobase_start_or_create_for_mysql() /data/src/10.2/storage/innobase/srv/srv0start.cc:2639

    #4 0x55f2d04055ae in innobase_init /data/src/10.2/storage/innobase/handler/ha_innodb.cc:4297

    #5 0x55f2cfee531a in ha_initialize_handlerton(st_plugin_int*) /data/src/10.2/sql/handler.cc:555

    #6 0x55f2cf8e0240 in plugin_initialize /data/src/10.2/sql/sql_plugin.cc:1417

    #7 0x55f2cf8e1f77 in plugin_init(int*, char**, int) /data/src/10.2/sql/sql_plugin.cc:1698

    #8 0x55f2cf65251a in init_server_components /data/src/10.2/sql/mysqld.cc:5387

    #9 0x55f2cf654543 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:5985

    #10 0x55f2cf63c93c in main /data/src/10.2/sql/main.cc:25

    #11 0x7f16a25370b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: stack-buffer-overflow /data/src/10.2/strings/strmake.c:66 in strmake

Shadow bytes around the buggy address:

  0x0fe352631050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0fe352631060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0fe352631070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0fe352631080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0fe352631090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0fe3526310a0: f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00 00 00 00 00

  0x0fe3526310b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0fe3526310c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0fe3526310d0: f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 f2 f2 f2 f2

  0x0fe3526310e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0fe3526310f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==4086435==ABORTING

#3  <signal handler called>

#4  0x0000564c0ace9c58 in table_name_t::dblen (this=0x10) at /data/src/10.2/storage/innobase/include/dict0mem.h:571

#5  fts_get_table_name (fts_table=fts_table@entry=0x7fc03a7fb8f0, table_name=table_name@entry=0x7fc03a7fb5e0 "", dict_locked=dict_locked@entry=false) at /data/src/10.2/storage/innobase/fts/fts0sql.cc:122

#6  0x0000564c0acd15da in fts_write_node (trx=0x0, graph=0x7fbff40938f8, fts_table=0x7fc03a7fb8f0, word=0x7fbff4096e20, node=0x7fbff4093ef0) at /data/src/10.2/storage/innobase/fts/fts0fts.cc:3857

#7  0x0000564c0acd1846 in fts_sync_write_words (unlock_cache=<optimized out>, index_cache=0x7fbff4093870, trx=<optimized out>) at /data/src/10.2/storage/innobase/fts/fts0fts.cc:4023

#8  fts_sync_index (sync=<optimized out>, index_cache=0x7fbff4093870) at /data/src/10.2/storage/innobase/fts/fts0fts.cc:4107

#9  0x0000000000000000 in ?? ()

#3  <signal handler called>

#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50

#5  0x00007f137aace859 in __GI_abort () at abort.c:79

#6  0x00007f137ab393ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f137ac6307c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155

#7  0x00007f137abdbb4a in __GI___fortify_fail (msg=msg@entry=0x7f137ac63064 "stack smashing detected") at fortify_fail.c:26

#8  0x00007f137abdbb16 in __stack_chk_fail () at stack_chk_fail.c:24

#9  0x0000556f4551c2a3 in fts_sync_index (sync=<optimized out>, index_cache=<optimized out>) at /data/src/10.6/storage/innobase/fts/fts0fts.cc:4003

#10 0x0000000000000000 in ?? ()

#3  <signal handler called>

#4  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:384

#5  0x000055f628f5ad29 in memcpy (__len=18446603585329305217, __src=0x7fc5ffffe980, __dest=0x7fc5ffffe5e0) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34

#6  fts_get_table_name (fts_table=fts_table@entry=0x7fc5ffffe8f0, table_name=table_name@entry=0x7fc5ffffe5e0 "", dict_locked=dict_locked@entry=false) at /data/src/10.3/storage/innobase/fts/fts0sql.cc:124

#7  0x000055f628f42f6a in fts_write_node (trx=0x55f628e79728 <trx_create()+472>, graph=0x7fc5c806cf08, fts_table=0x7fc5ffffe8f0, word=0x7fc5c811b800, node=0x7fc5c806d520) at /data/src/10.3/storage/innobase/fts/fts0fts.cc:3834

#8  0x000055f628f431e6 in fts_sync_write_words (unlock_cache=<optimized out>, index_cache=0x7fc5c806ce80, trx=<optimized out>) at /data/src/10.3/storage/innobase/fts/fts0fts.cc:4000

#9  fts_sync_index (sync=<optimized out>, index_cache=0x7fc5c806ce80) at /data/src/10.3/storage/innobase/fts/fts0fts.cc:4084

#10 0x0000000000000000 in ?? ()