diff options
| author | Nayuta Yanagisawa <nayuta.yanagisawa@hey.com> | 2022-07-01 21:41:45 +0900 |
|---|---|---|
| committer | Nayuta Yanagisawa <nayuta.yanagisawa@hey.com> | 2022-11-28 04:38:18 +0900 |
| commit | 4e9206736c403206915c09db1c9d8e3cd0fd0c5b (patch) | |
| tree | 5201663d6698b5bd2965976068a50ec8e9a877f2 | |
| parent | 162c1505052030e3496f83c5b711fd0ef5cb2bea (diff) | |
| download | mariadb-git-4e9206736c403206915c09db1c9d8e3cd0fd0c5b.tar.gz | |
MDEV-28996 ASAN errors in String::q_append / spider_string::q_append / spider_db_mbase_util::open_item_func
The server crashed due to the stack-use-after-scope on tmp_str.
tmp_str will be used later so should not point to the local buffer.
4 files changed, 90 insertions, 9 deletions
diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_28996.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_28996.result new file mode 100644 index 00000000000..f805e7ef3ad --- /dev/null +++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_28996.result @@ -0,0 +1,34 @@ +# +# MDEV-28996 ASAN errors in String::q_append / spider_string::q_append / spider_db_mbase_util::open_item_func +# +for master_1 +for child2 +child2_1 +child2_2 +child2_3 +for child3 +connection child2_1; +CREATE DATABASE auto_test_remote; +USE auto_test_remote; +CREATE TABLE tbl_a ( +a CHAR(8) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; +INSERT INTO tbl_a VALUES ('foo'),('bar'); +connection master_1; +CREATE DATABASE auto_test_local; +USE auto_test_local; +CREATE TABLE tbl_a ( +a CHAR(8) +) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"'; +SELECT MAX(BINARY a) FROM tbl_a; +MAX(BINARY a) +foo +DROP DATABASE auto_test_local; +connection child2_1; +DROP DATABASE auto_test_remote; +for master_1 +for child2 +child2_1 +child2_2 +child2_3 +for child3 diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.cnf new file mode 100644 index 00000000000..05dfd8a0bce --- /dev/null +++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.cnf @@ -0,0 +1,3 @@ +!include include/default_mysqld.cnf +!include ../my_1_1.cnf +!include ../my_2_1.cnf diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.test new file mode 100644 index 00000000000..8097fe7e607 --- /dev/null +++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.test @@ -0,0 +1,40 @@ +--echo # +--echo # MDEV-28996 ASAN errors in String::q_append / spider_string::q_append / spider_db_mbase_util::open_item_func +--echo # + +--disable_query_log +--disable_result_log +--source ../t/test_init.inc +--enable_query_log +--enable_result_log + +--connection child2_1 +CREATE DATABASE auto_test_remote; +USE auto_test_remote; + +eval CREATE TABLE tbl_a ( + a CHAR(8) +) $CHILD2_1_ENGINE $CHILD2_1_CHARSET; + +INSERT INTO tbl_a VALUES ('foo'),('bar'); + +--connection master_1 +CREATE DATABASE auto_test_local; +USE auto_test_local; + +eval CREATE TABLE tbl_a ( + a CHAR(8) +) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"'; + +SELECT MAX(BINARY a) FROM tbl_a; + +DROP DATABASE auto_test_local; + +--connection child2_1 +DROP DATABASE auto_test_remote; + +--disable_query_log +--disable_result_log +--source ../t/test_deinit.inc +--enable_query_log +--enable_result_log diff --git a/storage/spider/spd_db_mysql.cc b/storage/spider/spd_db_mysql.cc index 5f6107e66a0..e942d1d9063 100644 --- a/storage/spider/spd_db_mysql.cc +++ b/storage/spider/spd_db_mysql.cc @@ -4039,6 +4039,7 @@ int spider_db_mbase_util::open_item_func( int error_num; Item *item, **item_list = item_func->arguments(); Field *field; + spider_string tmp_str; uint roop_count, item_count = item_func->argument_count(), start_item = 0; const char *func_name = SPIDER_SQL_NULL_CHAR_STR, *separator_str = SPIDER_SQL_NULL_CHAR_STR, @@ -4491,10 +4492,11 @@ int spider_db_mbase_util::open_item_func( if (str) { - char tmp_buf[MAX_FIELD_WIDTH], *tmp_ptr, *tmp_ptr2; - spider_string tmp_str(tmp_buf, MAX_FIELD_WIDTH, str->charset()); + char *tmp_ptr, *tmp_ptr2; + DBUG_ASSERT(tmp_str.length() == 0); + tmp_str.set_charset(str->charset()); tmp_str.init_calc_mem(123); - tmp_str.length(0); + tmp_str.reserve(MAX_FIELD_WIDTH); str->length(str->length() - SPIDER_SQL_OPEN_PAREN_LEN); if (!merge_func) { @@ -4625,10 +4627,11 @@ int spider_db_mbase_util::open_item_func( if (str) { - char tmp_buf[MAX_FIELD_WIDTH], *tmp_ptr, *tmp_ptr2; - spider_string tmp_str(tmp_buf, MAX_FIELD_WIDTH, str->charset()); + char *tmp_ptr, *tmp_ptr2; + DBUG_ASSERT(tmp_str.length() == 0); + tmp_str.set_charset(str->charset()); tmp_str.init_calc_mem(124); - tmp_str.length(0); + tmp_str.reserve(MAX_FIELD_WIDTH); str->length(str->length() - SPIDER_SQL_OPEN_PAREN_LEN); if (!merge_func) { @@ -4779,10 +4782,11 @@ int spider_db_mbase_util::open_item_func( if (str) { - char tmp_buf[MAX_FIELD_WIDTH], *tmp_ptr, *tmp_ptr2; - spider_string tmp_str(tmp_buf, MAX_FIELD_WIDTH, str->charset()); + char *tmp_ptr, *tmp_ptr2; + DBUG_ASSERT(tmp_str.length() == 0); + tmp_str.set_charset(str->charset()); tmp_str.init_calc_mem(125); - tmp_str.length(0); + tmp_str.reserve(MAX_FIELD_WIDTH); str->length(str->length() - SPIDER_SQL_OPEN_PAREN_LEN); if (!merge_func) { |