Bug #25492 Invalid deallocation in mysql_stmt_fetch()
Submitted: 9 Jan 2007 13:30 Modified: 31 Mar 2007 23:33
Reporter: Name Withheld Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Embedded Library ( libmysqld ) Severity:S2 (Serious)
Version:4.1.22 OS:Windows (Windows XP)
Assigned to: Alexey Botchkov CPU Architecture:Any
Tags: bfsm_2007_01_18, bfsm_2007_02_15, bfsm_2007_03_01, bfsm_2007_03_15

[9 Jan 2007 13:30] Name Withheld
Description:
As of MySQL 4.1.21, when using the embedded server and prepared statements, mysql_stmt_fetch() will sometimes try to free a pointer which was never allocated.

Specifically, it's trying to free an address in the middle of a related MYSQL_STMT struct.

The stack looks like:
   ...
   mysql_stmt_fetch()
   stmt_read_row_unbuffered()
   emb_unbuffered_fetch()
   free_rows()
   my_no_flags_free()
   free()

This bug may have been introduced while fixing bug #16017 ("Memory leak in mysql embedded library").  At any rate, MySQL 4.1.21 is the first release with this bug.

How to repeat:
Run the attached test app, "test.cpp", under the Microsoft Visual Studio 2005 debugger.  Error messages like these will appear in the debugger output window:

  - HEAP[test.exe]: Invalid Address specified to RtlFreeHeap( 003E0000, 0065D4F0 )

  - Windows has triggered a breakpoint in test.exe.  This may be due to a corruption of the heap, and indicates a bug in test.exe or any of the DLLs it has loaded.  The output window may have more diagnostic information
[9 Jan 2007 18:11] MySQL Verification Team
Thank you for the bug report. I was able to repeat when the debug test case
is linked against the release embedded server, however debug embedded server
and debug test case not presents that problem.
[9 Jan 2007 18:19] MySQL Verification Team
Error message

Attachment: debugging.PNG (image/png, text), 53.50 KiB.

[9 Jan 2007 19:33] MySQL Verification Team
Disregarding the test debug embedded/release application and
debug embedded/debug application, the error log file shows:

Error: Freeing unallocated data at line 646, '..\sql-common\client.c'
Error: Freeing unallocated data at line 646, '..\sql-common\client.c'
Error: Freeing unallocated data at line 646, '..\sql-common\client.c'
Error: Freeing unallocated data at line 646, '..\sql-common\client.c'
Error: Freeing unallocated data at line 646, '..\sql-common\client.c'
Error: Freeing unallocated data at line 646, '..\sql-common\client.c'
Error: Freeing unallocated data at line 646, '..\sql-common\client.c'
[29 Jan 2007 7:46] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18933

ChangeSet@1.2599, 2007-01-29 11:48:31+04:00, holyfoot@mysql.com +1 -0
  bug #25492 (Invalid deallocation in mysql_stmt_fetch)
  Operating with the prepared statements we don't alloc MYSQL_DATA structure,
  but use MYSQL_STMT's field instead (to increase performance by reducing
  malloc calls).
  So we shouldn't free this structure as we did before.
[12 Feb 2007 20:54] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/19728

ChangeSet@1.2600, 2007-02-13 00:55:45+04:00, holyfoot@mysql.com +1 -0
  bug #25492 (Invalid deallocation in mysql_stmt_fetch)
[14 Feb 2007 10:40] Igor Babaev
The fix has been pushed into 4.1.23, 5.0.36 and 5.1.16-beta.
[15 Feb 2007 4:37] Paul DuBois
Noted in 4.1.23, 5.0.36, 5.1.16 changelogs.

mysql_stmt_fetch() did an invalid memory deallocation when used with
the embedded server.
[22 Feb 2007 17:14] MySQL Verification Team
heap corruption using If()

Attachment: embed-debug.PNG (image/png, text), 27.12 KiB.

[22 Feb 2007 17:17] MySQL Verification Team
Actually the issue exists when changing the while() by if() according
user reported. Attached picture showing that in the VS debugger.
[5 Mar 2007 10:42] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21136

ChangeSet@1.2601, 2007-03-05 11:35:04+04:00, holyfoot@mysql.com +1 -0
  bug #25492 (Invalid deallocation in mysql_stmt_fetch())
  
  Additional patch.
  mysql_flush_use_result() fixed.
[23 Mar 2007 13:59] Alexey Botchkov
Pushed in 4.1.23, 5.0.40 and 5.1.18
[31 Mar 2007 23:33] Paul DuBois
Moved 5.0.36 changelog entry to 5.0.40.
Moved 5.1.16 changelog entry to 5.1.18.
[4 Apr 2007 10:16] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/23767

ChangeSet@1.2544, 2007-04-04 12:15:04+02:00, jbruehe@mysql.com +1 -0
  bug #25492 (Invalid deallocation in mysql_stmt_fetch())
  
  Additional patch.
  mysql_flush_use_result() fixed.
  
  (Originally done by holyfoot@mysql.com 2007-03-05 11:35:04+04:00,
  applied to the custom build by joerg@mysql.com)