Bug #29166 MYsql crash when query is run
Submitted: 18 Jun 2007 2:51 Modified: 9 Jul 2007 1:04
Reporter: Matt Fraser Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S2 (Serious)
Version:5.0.18 OS:Linux
Assigned to: Georgi Kodinov CPU Architecture:Any

[18 Jun 2007 2:51] Matt Fraser 
Description:
MYsql server crashes every time I run the following query:

Select astext(geometry) from geometry where astext(geometry) like '%POLY%';

How to repeat:
1)Restore the attached file to (geotable.zip)
2) Run the following query in the query browser:

Select astext(geometry) from geometry where astext(geometry) like '%POLY%';

3) MYSQL Crashes

Suggested fix:
Stop the crash
[18 Jun 2007 5:54] Valeriy Kravchuk 
Thank you for a problem report. Sorry, but there is no geotable.zip file attached. Please, check. Also try to repeat with a newer version of MySQL server, 5.0.41.
[18 Jun 2007 11:04] Matt Fraser 
I've uploaded bug-data-29166.zip to the ftp site. Please retry.
[18 Jun 2007 11:04] Matt Fraser 
Please see last comment...bug-data-29166.zip is intended to replace geotable.zip in the original comments
[18 Jun 2007 12:16] MySQL Verification Team 
Thank you for the bug report. Verified on Linux too.

[New Thread -1263600752 (LWP 9739)]
070618  8:56:15 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.44-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread -1263801456 (LWP 9811)]
Error: Memory allocated at sql_string.cc:82 was overrun, discovered at 'sql_string.h:189'
*** glibc detected *** /home/miguel/dbs/5.0/libexec/mysqld: double free or corruption (!prev): 0x0a07ea48 ***
======= Backtrace: =========
/lib/libc.so.6[0x97909d]
/lib/libc.so.6(cfree+0x90)[0x97c6f0]
/home/miguel/dbs/5.0/libexec/mysqld(_myfree+0x26a)[0x8574587]
/home/miguel/dbs/5.0/libexec/mysqld(_ZN6String4freeEv+0x47)[0x817b431]
/home/miguel/dbs/5.0/libexec/mysqld(_ZN6StringD1Ev+0x11)[0x817b46d]
/home/miguel/dbs/5.0/libexec/mysqld(_ZN11select_send9send_dataER4ListI4ItemE+0x262)[0x820f58c]
/home/miguel/dbs/5.0/libexec/mysqld[0x828212e]
/home/miguel/dbs/5.0/libexec/mysqld[0x82881ee]
/home/miguel/dbs/5.0/libexec/mysqld(_Z10sub_selectP4JOINP13st_join_tableb+0x15e)[0x8288420]
/home/miguel/dbs/5.0/libexec/mysqld[0x829039b]
/home/miguel/dbs/5.0/libexec/mysqld(_ZN4JOIN4execEv+0x1fb7)[0x82a6103]
<cut>

The version 5.1BK presented the below error in the create table:

mysql> CREATE TABLE `geometry` (
    ->   `id` int(10) unsigned NOT NULL auto_increment,
    ->   `geometry` geometry NOT NULL default '',
    ->   `type` varchar(15) NOT NULL default '',
    ->   PRIMARY KEY  (`id`),
    ->   SPATIAL KEY `Index_spat` (`geometry`(32))
    -> ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
ERROR 1089 (HY000): Incorrect sub part key; the used key part isn't a string, the used length is longer than the key part, or the storage engine doesn't support unique sub keys
mysql>
[5 Jul 2007 15:25] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30384

ChangeSet@1.2518, 2007-07-05 18:24:48+03:00, gkodinov@magare.gmz +3 -0
  Bug #29166: 
  AsText() needs to know the maximum number of
  characters a IEEE double precision value can
  occupy to make sure there's enough buffer space.
  The number was too small to hold all possible
  values and this caused buffer overruns.
  Fixed by correcting the calculation of the 
  maximum digits in a string representation of an
  IEEE double precision value as printed by 
  String::qs_append(double).
[8 Jul 2007 17:28] Bugs System 
Pushed into 5.1.21-beta
[8 Jul 2007 17:30] Bugs System 
Pushed into 5.0.46
[9 Jul 2007 1:04] Paul DuBois 
Noted in 5.0.46, 5.1.21 changelogs.

AsText() could fail with a buffer overrun.