[MDEV-32226] UBSAN shift exponent X is too large for 64-bit type 'long long int' in sql/field.cc Created: 2023-09-22  Updated: 2023-10-05  Resolved: 2023-10-05

Status: Closed
Project: MariaDB Server
Component/s: Data types
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3
Fix Version/s: 10.8.8, 10.4.32, 10.5.23, 10.6.16, 10.9.8, 10.10.7, 10.11.6, 11.0.4, 11.1.3, 11.2.2, 11.3.1

Type: Bug Priority: Critical
Reporter: Ramesh Sivaraman Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: None


 Description    

SET sql_mode='';
 
CREATE TABLE t (f SET('1','2','3','4','5','6','7','8','9','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1'));
 
INSERT INTO t VALUES ('0');

Leads to

11.3.0 fa64a7a10cb23475c3008ff3d935d12659d2a81f (Optimized, UBASAN)

 
/test/mtest/MDEV-31606/11.3_opt_san/sql/field.cc:9459:35: runtime error: shift exponent 65 is too large for 64-bit type 'long long int'
 
    #0 0x558f877fd78d in Field_set::store(char const*, unsigned long, charset_info_st const*) /test/mtest/MDEV-31606/11.3_opt_san/sql/field.cc:9459
 
    #1 0x558f85f17f7d in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool) /test/mtest/MDEV-31606/11.3_opt_san/sql/sql_base.cc:9320
 
    #2 0x558f85f196af in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /test/mtest/MDEV-31606/11.3_opt_san/sql/sql_base.cc:9375
 
    #3 0x558f86107784 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/mtest/MDEV-31606/11.3_opt_san/sql/sql_insert.cc:1097
 
    #4 0x558f862f9771 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-31606/11.3_opt_san/sql/sql_parse.cc:4416
 
    #5 0x558f86285fb0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/mtest/MDEV-31606/11.3_opt_san/sql/sql_parse.cc:7732
 
    #6 0x558f862dcd28 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/mtest/MDEV-31606/11.3_opt_san/sql/sql_parse.cc:1893
 
    #7 0x558f862e842d in do_command(THD*, bool) /test/mtest/MDEV-31606/11.3_opt_san/sql/sql_parse.cc:1406
 
    #8 0x558f86c2871d in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-31606/11.3_opt_san/sql/sql_connect.cc:1445
 
    #9 0x558f86c2ad8c in handle_one_connection /test/mtest/MDEV-31606/11.3_opt_san/sql/sql_connect.cc:1347
 
    #10 0x14d39fc5a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #11 0x14d39eecf132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)



 Comments   
Comment by Oleksandr Byelkin [ 2023-09-25 ]

Type_handler_set::Column_definition_prepare_stage2 ignore duplicates (def->interval->count - dup_count > sizeof(longlong)*8) but then Field_set::store uses typelib->count for shift which is bigger then 64.

Generated at Thu Feb 08 10:29:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.