-
Type:
Bug
-
Status: On Hold
-
Priority:
High
-
Resolution: Fixed
-
Affects Version/s: 5.7.x, Not 5.5.x, Not 5.6.x
-
Fix Version/s: None
-
Component/s: None
-
Labels:
Startup options
--log_bin=binlog --binlog_format=ROW --server-id=101 --gtid_mode=ON --enforce_gtid_consistency=ON --log_slave_updates=ON --sql_mode=ONLY_FULL_GROUP_BY --early-plugin-load=keyring_vault=keyring_vault.so --loose-keyring_vault_config=/sda/qa/vault_server/reducer_vault.cnf --master-verify-checksum=1 --binlog-checksum=1 --encrypt-binlog=1
Testcase
CREATE DATABASE test; USE test; RESET MASTER; CREATE TABLE t3 (c1 VARCHAR(2) CHARACTER SET 'utf8' COLLATE 'utf8_bin',c2 FLOAT(255,30) UNSIGNED ZEROFILL,c3 DATE, PRIMARY KEY(c1)) ENGINE=InnoDB; INSERT INTO t3 VALUES ('-9223372036854775808/-1','Thk brown fox... [Beeeep]','<!--[if<img src=x onerror=javascript:alert(1)//]> -->'); ALTER TABLE t3 ADD INDEX (c3); SET @@GLOBAL.max_binlog_size=46; DROP FUNCTION IF EXISTS f2; CREATE TABLE IF NOT EXISTS t2 (c1 FLOAT PRIMARY KEY,c2 REAL(2,2) ZEROFILL,c3 TINYINT ZEROFILL) ENGINE=InnoDB; ALTER TABLE t2 ENGINE=InnoDB; TRUNCATE t3; TRUNCATE t3; ALTER TABLE t2 ADD INDEX (c2); DROP FUNCTION IF EXISTS f1; FLUSH SLOW LOGS; TRUNCATE t3; SET @@SESSION.completion_type="CHAIN"; INSERT INTO t2 VALUES ('<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>','10-10-2014','DddddD'); DROP PROCEDURE IF EXISTS p3; TRUNCATE t3; DROP PROCEDURE IF EXISTS p2; DROP FUNCTION IF EXISTS f3; CREATE PROCEDURE p1 (INOUT i1 MULTIPOLYGON, IN i2 BLOB) COMMENT 'comment' ANALYZE LOCAL TABLE t2; CREATE TABLE IF NOT EXISTS t2 (c1 CHAR(1) BINARY CHARACTER SET 'utf8' COLLATE 'utf8_bin',c2 FLOAT(1,0) UNSIGNED,c3 MULTILINESTRING) ENGINE=InnoDB; ROLLBACK WORK; INSERT INTO t3 VALUES ('-1',0,'<a href="_xE2_x80_xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>'); ANALYZE LOCAL TABLE t2; ;
GDB Info
+bt
#0 0x00007f1d2d33d9b1 in pthread_kill () from /lib64/libpthread.so.0
#1 0x000000000186bb3d in my_write_core (sig=6) at /sda/qa/PS-5.7-trunk_dbg/mysys/stacktrace.c:249
#2 0x0000000000e8eb59 in handle_fatal_signal (sig=6) at /sda/qa/PS-5.7-trunk_dbg/sql/signal_handler.cc:223
#3 <signal handler called>
#4 0x00007f1d2b4491f7 in raise () from /lib64/libc.so.6
#5 0x00007f1d2b44a8e8 in abort () from /lib64/libc.so.6
#6 0x00007f1d2b442266 in __assert_fail_base () from /lib64/libc.so.6
#7 0x00007f1d2b442312 in __assert_fail () from /lib64/libc.so.6
#8 0x00000000015356bc in mysql_execute_command (thd=0x7f1cf5c12000, first_level=true) at /sda/qa/PS-5.7-trunk_dbg/sql/sql_parse.cc:5249
#9 0x000000000153708c in mysql_parse (thd=0x7f1cf5c12000, parser_state=0x7f1d2d934470) at /sda/qa/PS-5.7-trunk_dbg/sql/sql_parse.cc:5897
#10 0x000000000152bc13 in dispatch_command (thd=0x7f1cf5c12000, com_data=0x7f1d2d934c50, command=COM_QUERY) at /sda/qa/PS-5.7-trunk_dbg/sql/sql_parse.cc:1493
#11 0x000000000152aa59 in do_command (thd=0x7f1cf5c12000) at /sda/qa/PS-5.7-trunk_dbg/sql/sql_parse.cc:1021
#12 0x000000000166a650 in handle_connection (arg=0x7f1cf5c11040) at /sda/qa/PS-5.7-trunk_dbg/sql/conn_handler/connection_handler_per_thread.cc:312
#13 0x0000000001d03283 in pfs_spawn_thread (arg=0x7f1d2941a920) at /sda/qa/PS-5.7-trunk_dbg/storage/perfschema/pfs.cc:2190
#14 0x00007f1d2d338e25 in start_thread () from /lib64/libpthread.so.0
#15 0x00007f1d2b50c34d in clone () from /lib64/libc.so.6
(gdb) quit
- causes
-
-
- Done
-
