Details
-
Bug
-
Status: Done
-
Medium
-
Resolution: Fixed
-
8.0.x, Not 5.6.x, Not 5.7.x
-
None
Description
In create_zip_dict, function args are printed as
DBUG_LOG("zip_dict", "thd->query: " << thd->query().str << " dict_name: " << name << " dict_name_len: " << name_len << " data: " << data << " data_len: " << data_len << " if_not_exists: " << if_not_exists);
This is not entirely correct, since the strings here come with lengths instead of relying on null-termination, hence this output may read past their ends. This is seen on AddressSanitizer as
190102 21:38:47 [ 87%] innodb.xtradb_compressed_columns_with_dictionaries w8 [ fail ]
Test ended at 2019-01-02 21:38:47
...
==14284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070011cdf48 at pc 0x7f08600f2994 bp 0x7f0834127380 sp 0x7f0834126b30
READ of size 41 at 0x6070011cdf48 thread T42
#0 0x7f08600f2993 (/usr/lib64/libasan.so.4+0x4f993)
#1 0x7f085e95cba0 in std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) (/usr/lib64/libstdc++.so.6+0x92ba0)
#2 0x3cfe103 in compression_dict::create_zip_dict(THD*, char const*, unsigned long, char const*, unsigned long, bool, bool) /tmp/ps/sql/sql_zip_dict.cc:313
#3 0x38bd9c3 in mysql_execute_command(THD*, bool) /tmp/ps/sql/sql_parse.cc:3675
#4 0x38d1295 in mysql_parse(THD*, Parser_state*, bool, bool) /tmp/ps/sql/sql_parse.cc:5269
#5 0x38d9273 in dispatch_command(THD*, COM_DATA const*, enum_server_command) /tmp/ps/sql/sql_parse.cc:1734
#6 0x38e193d in do_command(THD*) /tmp/ps/sql/sql_parse.cc:1290
#7 0x3eff9c0 in handle_connection /tmp/ps/sql/conn_handler/connection_handler_per_thread.cc:317
#8 0x782e98e in pfs_spawn_thread /tmp/ps/storage/perfschema/pfs.cc:2836
#9 0x7f085fe8daa0 in start_thread (/lib64/libpthread.so.0+0x7aa0)
#10 0x7f085d467c4c in __clone (/lib64/libc.so.6+0xe8c4c)
0x6070011cdf48 is located 0 bytes to the right of 72-byte region [0x6070011cdf00,0x6070011cdf48)
allocated by thread T42 here:
#0 0x7f086017cc50 in malloc (/usr/lib64/libasan.so.4+0xd9c50)
#1 0x73d50e5 in my_raw_malloc /tmp/ps/mysys/my_malloc.cc:199
#2 0x73d5263 in my_malloc(unsigned int, unsigned long, int) /tmp/ps/mysys/my_malloc.cc:81
#3 0x3ef2b07 in String::real_alloc(unsigned long) /tmp/ps/sql-common/sql_string.cc:54
#4 0x2aaa1c2 in String::alloc(unsigned long) /tmp/ps/include/sql_string.h:374
#5 0x3ef4769 in String::copy(char const*, unsigned long, CHARSET_INFO const*, CHARSET_INFO const*, unsigned int*) /tmp/ps/sql-common/sql_string.cc:399
#6 0x29e7d1c in Item::val_str_ascii(String*) /tmp/ps/sql/item.cc:239
#7 0x38bd66a in mysql_execute_command(THD*, bool) /tmp/ps/sql/sql_parse.cc:3665
#8 0x38d1295 in mysql_parse(THD*, Parser_state*, bool, bool) /tmp/ps/sql/sql_parse.cc:5269
#9 0x38d9273 in dispatch_command(THD*, COM_DATA const*, enum_server_command) /tmp/ps/sql/sql_parse.cc:1734
#10 0x38e193d in do_command(THD*) /tmp/ps/sql/sql_parse.cc:1290
#11 0x3eff9c0 in handle_connection /tmp/ps/sql/conn_handler/connection_handler_per_thread.cc:317
#12 0x782e98e in pfs_spawn_thread /tmp/ps/storage/perfschema/pfs.cc:2836
