From: Martin Hansson Date: December 6 2010 10:56am Subject: bzr commit into mysql-5.1-bugteam branch (martin.hansson:3512) Bug#58207 List-Archive: http://lists.mysql.com/commits/126117 X-Bug: 58207 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0381842155==" --===============0381842155== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///data0/martin/bzrroot/bug58207/5.1bt-minimal_fix/ based on revid:mats.kindahl@stripped 3512 Martin Hansson 2010-12-06 Bug#58207: invalid memory reads when using default column value and tmptable needed The function DEFAULT() works by modifying the the data buffer pointers (often referred to as 'record' or 'table record') of its argument. This modification is done during name resolution (fix_fields().) Here, the pointers are set to point into a buffer of default values by means of offsetting the pointer by the distance between the buffers' start addresses. Unfortunately, the same modification is done when creating a temporary table during optimization. At this point the Item may or may not be name-resolved. If it is, the bespoke pointer offsetting method is fragile enough to point into an undefined memory area, giving rise to everything from valgrind warnings to segmentation faults. Fixed by checking if an Item is name-resolved before modifying the pointers. modified: mysql-test/r/subselect4.result mysql-test/t/subselect4.test sql/sql_select.cc === modified file 'mysql-test/r/subselect4.result' --- a/mysql-test/r/subselect4.result 2010-09-07 09:21:09 +0000 +++ b/mysql-test/r/subselect4.result 2010-12-06 10:56:35 +0000 @@ -164,5 +164,24 @@ a b 2 NULL DROP TABLE t1, t2, t3, t4, t5; # +# Bug#58207: invalid memory reads when using default column value and +# tmptable needed +# +CREATE TABLE t1( a CHAR(1) DEFAULT 'a' ); +CREATE TABLE t2( a CHAR(245) DEFAULT 'a' ); +INSERT INTO t1 VALUES ('b'), ('c'); +INSERT INTO t2 VALUES ('b'), ('c'); +# Caused crash in valgrind builds of revno:3517 (version 5.1.54) +SELECT * FROM (SELECT DEFAULT(a) FROM t1) t11; +DEFAULT(a) +a +a +# Should not cause valgrind error +SELECT * FROM (SELECT DEFAULT(a) AS b FROM t2 GROUP BY a) t21; +b +a +a +DROP TABLE t1, t2; +# # End of 5.1 tests. # === modified file 'mysql-test/t/subselect4.test' --- a/mysql-test/t/subselect4.test 2010-09-07 09:21:09 +0000 +++ b/mysql-test/t/subselect4.test 2010-12-06 10:56:35 +0000 @@ -136,6 +136,23 @@ SELECT * FROM t1 WHERE NULL NOT IN ( SEL DROP TABLE t1, t2, t3, t4, t5; +--echo # +--echo # Bug#58207: invalid memory reads when using default column value and +--echo # tmptable needed +--echo # +CREATE TABLE t1( a CHAR(1) DEFAULT 'a' ); +CREATE TABLE t2( a CHAR(245) DEFAULT 'a' ); + +INSERT INTO t1 VALUES ('b'), ('c'); +INSERT INTO t2 VALUES ('b'), ('c'); + +--echo # Caused crash in valgrind builds of revno:3517 (version 5.1.54) +SELECT * FROM (SELECT DEFAULT(a) FROM t1) t11; + +--echo # Should not cause valgrind error +SELECT * FROM (SELECT DEFAULT(a) AS b FROM t2 GROUP BY a) t21; + +DROP TABLE t1, t2; --echo # --echo # End of 5.1 tests. === modified file 'sql/sql_select.cc' --- a/sql/sql_select.cc 2010-11-26 12:51:48 +0000 +++ b/sql/sql_select.cc 2010-12-06 10:56:35 +0000 @@ -10207,6 +10207,15 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA item->marker == 4, force_copy_fields, param->convert_blob_length); + /* + Fields that are used as arguments to the DEFAULT() function have their + data pointers set to the default value during name resulotion. If by + any chance they have been resolved at this stage (e.g. if they appear + in a subquery) we should not update these pointers. + */ + if (item->type() == Item::DEFAULT_VALUE_ITEM && item->fixed) + default_field[fieldnr]= NULL; + if (!new_field) { if (thd->is_fatal_error) --===============0381842155== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/martin.hansson@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: martin.hansson@stripped\ # k6122guqnol91l46 # target_branch: file:///data0/martin/bzrroot/bug58207/5.1bt-\ # minimal_fix/ # testament_sha1: 4b698040cb18a2a5df7c7bdfdf448b46d0b36698 # timestamp: 2010-12-06 11:56:39 +0100 # base_revision_id: mats.kindahl@stripped\ # 7udci9op4lc6jvtb # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWXVHwK4ABBlfgBQQWff//3/n 3yq////wYAlr72zKQaIlatNqGylU1WGzUiKGqaJoGTQaG01A0AxBk0BoaDIBoAkkETBom0KGp4Ue im1NAZqb1IPT0oeoGmj1NDjJk0YhiaYCBgTTBGCYmmmgAwgkSI0BNAahpqbVNtQnqb1T0NRoDQNG g0NNDjJk0YhiaYCBgTTBGCYmmmgAwgkkCaACDQRqelPyajaFGp+VB+pDNJo0xqPQQABgFCPrmWsz ZJ6ZB0WLWD9gKJmL98GJPVlH7qiSNJUSKIMvPO7hqLVVaw5SKB8B08KIgFdZfl0RZ2Lef+Y+HUz4 2fPWgzTAEwMRxSL09g+ev7Q6BEL7+z/U9R0C8PKvauKbbY2rfcG6d7OpkPeMq6nwU7CrEnE4x6F2 d5xOIMQ8w2lMw7AgdZxIviFg+n7Cs9pcMSKTSeQd1X+/wN3ujcunGLEOhzISexsGcT73TJFIyeWU WJptQMESuT1/2mU4Z9I0R0VfkWnopQ/SF/o2MK5BfllORKXcmp1KmmtRbZ81J2rZS6b2srTMnQLi 6Vrtbut/Q6zmM0EEiRIzNFeIrb9leWM9E23IydfYNk/XUQqaDkMaXJ5K+Mk7v8+vPu7qjyl8HeE1 DrR7xQYS7+YxjbH0LtjgG3Y9QaAqDuAZgayAN3nLfaEwkhpXZ+oxuL4Ngzul5qiZynMG7m0zwgPX tCiZhjVmLwNRuBxwDiAfpUtTz+ovUlybMQ2054GD+hdSZFRGl/dqsObGJJTLUlNnITl38Bem7epZ TWxZxALG9Sp4cgkxgMJPQH0fiURUUaggDzgMayIKDxEthMkTKJKVA5DyASFE+BYiKpIuu33pZjrn H1DBauR5YlYg+NScaRGg76jiattMnwuIIU60irG6ON0MulRwJI66ypNrav44VhSDBtm8m1A4w9Xa 4xOTtphkqGbFPJ2l6uLTI3GyJERYi2gzB7DAi5ZW1jxD09ElMhjmRpICH7PHeVxXYRN98NGwNmEB WmO9az5vOJabxFl+hbCd2YzASM36JwjI6ry2grp0J2b63RLNuez5u0OAX/I6N1hmLCYpwHI2snnT iY+hj0TMEGjS6cbVI6QwMRykWHkSNfl1p85SubdAuEYG3esUuBTKkxKc7TG8zImssocuFIjZKqyq i6PomWnEp2D1L94yNxaZx6k5EbSbDwyBlqiI7xGO0jKkQzTNBOgpozamBvfEoCOeKN0hxEtumtmS rtZgxK7tVZp5uUMKdJo8yl2+h6lcT0IpVXNZEp4MzU0NVlNorImtNRBKxde4rGyeirLRQpZ2A86Y EhgtlxcIkcDDEeX7qlntssrH5kCAd6pTtdewaDHO6yi2+Uds3VOYsUSCqEOjqCwVLH/XooOoahp+ kM/q+Hjq4JnNdaHjM1PHuWnE+W5VIXIXkj4hWd4f2CdImmBj+hSKmcWEwkBAEMJQWh0i9gWQB7wX tAqYfBFwK4D+boP7BkAw+LRdzFQCxCyRHuAw+gE7gxBTJEwtDIDE+hYBEwD5B+wWmsKwLgck8VIX 0BDVFyHxBXEEY4nDnKfHu3dr1vQN9vtFPSyC5Dhj8gzQ4n5hMDxq/lafKtHhikqLLAi+CU18/aBy ZEckqahr6nqvtghemEPc40vQOPGv4YIVsRh1j3a1J1vfU04L8ktIHpLCJw3YyHbgu/XuOfiMU68B ve4c8OpHh7GFVARIRPfeDjjz5nPCJEyWRtj2Fx4rI8OAxO8fTSVirWcHuSUFcgN0yS9xCCwrtzJq aaY0x/o7lpUT7SK0944uNu3ukRCrOpDyhDpkUq3rDp0161M2lxpvVKKaodSsNKJU7S55Y5TTX0RX 1fj3czJdXZsGMK0P3fi9SN7i8irzxd5b7K2X7pWlyS72sMy05HTNT1vibOscjqrFvyk5NaqBX6WV GLrvlz+8VESlBwWew+xxntohGwwWo5++a8JNN3bvuFY0MS+nG0u727f/uOQTQdgtwMtqGu3Kpp5p wjhTxN6+yXq5Y13lShl58lcOvLRiGu91KHOCQ5iFcAPEklQUTPbozA73GRxMzmZ+ASHAstB5jMoM VTgvDasTOR6/i/+XesVfz414HbGR1e4vLoPLSIlevDpSeXBkqZPfT3Ss9/iiyZmI3cjp24DPAbFC 5XjJf0ZGiLuoMEGNCgJ34FMjTLalRJjOpa8xp5LPYk0T82q+GZ2AYGwvpQW6lS3scOQrkbkEsoal 4RfJWO9SvrfxEWnJlz919ReMDMMjY+gwZhr7xWvLGugTx0YhaurlL1raesNojTKr49T3C71T5Ozw +BhgHcHmIiLRuiYiGN699KidVUqy8Z6YBhpSUCkgsQca0i0wiaMEs99nBk0AzwBxf+x6wa5eRnQm uRiA0aMHO2b48YyxovRTazSGF4RjrVMS6p4MHY5STJNSMVNYEkKNY0BglOiY1UJRMiaiP1aSteHl MxFAwq17KbeAwlFUCZAyZhbhwn+rTLeJgMuXqIPCi29Lw70igRxVwScILgeyQyE2J0j6pNUwx+6S wFXUY6Pi5QbGTJi8N/Pa/UmgEtCHK7iyZHCId+Nd1x22ptF1lOu6V8QrsNF9oqxHiu82/C5bWyHy Dq5WxQjVN2YymSbJQ9nbtUUDzkcHeK2SeKquZGWxG1V1hqp4dOy3PUYJFGxK1JxA4kUiXb0Iv1kU cZWQpucpUcLcPf79+vKwt2InqXULOyZtNhNdLoUZrAqFBd+AZNpLwuEvFeLPucxxHkhJkXNY68TU TYZvMJBzJfLRk3YuatLWhSRisExplm29YgjgOF1rnJU+QmgT7FygEpqVDexgNTwoN7I5q0qE2l5G g4RG7wwz6Oo2wJTxH484bKc3hgtIxZihUe16rVhJE9JJ/ZIx7guS5ferwnzjsXsWuCwIW+NKGmec opGdRtJV1iMVBNjVJ7C2aITRURT19hofmtDxaBjy8Vx22GTBmNX1VewZYhYg8897lsiUoNpJFzNR 0mXeT1FMUWXeTDM8Z/4u5IpwoSDqj4Fc --===============0381842155==--