Bug #35986 valgrind warning in DbugParse for empty string in SET GLOBAL DEBUG=
Submitted: 11 Apr 10:22 Modified: 14 May 4:23
Reporter: Magnus Svensson
Status: Closed
Category:Server: General Severity:S3 (Non-critical)
Version:5.1.25, 5.0 OS:Any
Assigned to: Magnus Svensson Target Version:5.0+
Triage: D1 (Critical)

[11 Apr 10:22] Magnus Svensson 
Description:
set GLOBAL debug=""; gives valgrind warning since the code in DbugParse will read after
the end of the control string.

==27642== Invalid read of size 1
==27642==    at 0x8609756: DbugParse (dbug.c:503)
==27642==    by 0x8609C6D: _db_set_init_ (dbug.c:746)
==27642==    by 0x8282396: sys_var_thd_dbug::update(THD*, set_var*) (set_var.cc:4011)
==27642==    by 0x82776B6: set_var::update(THD*) (set_var.cc:3473)
==27642==    by 0x8281403: sql_set_variables(THD*, List<set_var_base>*) (set_var.cc:3348)
==27642==    by 0x8273F81: mysql_execute_command(THD*) (sql_parse.cc:3235)
==27642==    by 0x827472B: mysql_parse(THD*, char const*, unsigned, char const**)
(sql_parse.cc:5630)
==27642==    by 0x8275AD8: dispatch_command(enum_server_command, THD*, char*, unsigned)
(sql_parse.cc:1121)
==27642==    by 0x8276C81: do_command(THD*) (sql_parse.cc:781)
==27642==    by 0x826503D: handle_one_connection (sql_connect.cc:1115)
==27642==    by 0x403846A: start_thread (in /lib/tls/i686/cmov/libpthread-2.6.1.so)
==27642==    by 0x41A36DD: clone (in /lib/tls/i686/cmov/libc-2.6.1.so)
==27642==  Address 0x5009D99 is 0 bytes after a block of size 17 alloc'd
==27642==    at 0x4022765: malloc (vg_replace_malloc.c:149)
==27642==    by 0x85EE747: my_malloc (my_malloc.c:34)
==27642==    by 0x85EF168: alloc_root (my_alloc.c:158)
==27642==    by 0x819DE43: get_text(Lex_input_stream*, int, int) (sql_class.h:500)
==27642==    by 0x81A15F7: MYSQLlex(void*, void*) (sql_lex.cc:1171)
==27642==    by 0x82863DB: MYSQLparse(void*) (sql_yacc.cc:15656)
==27642==    by 0x8265566: parse_sql(THD*, Lex_input_stream*, Object_creation_ctx*)
(sql_parse.cc:7427)
==27642==    by 0x82746AE: mysql_parse(THD*, char const*, unsigned, char const**)
(sql_parse.cc:5599)
==27642==    by 0x8275AD8: dispatch_command(enum_server_command, THD*, char*, unsigned)
(sql_parse.cc:1121)
==27642==    by 0x8276C81: do_command(THD*) (sql_parse.cc:781)
==27642==    by 0x826503D: handle_one_connection (sql_connect.cc:1115)
==27642==    by 0x403846A: start_thread (in /lib/tls/i686/cmov/libpthread-2.6.1.so)
==27642==    by 0x41A36DD: clone (in /lib/tls/i686/cmov/libc-2.6.1.so)

How to repeat:
valgrind a mysqld with DBUG support and run SET GLOBAL DEBUG=""

Suggested fix:
Change the "while(1)" loop to "while (control<end)"
[11 Apr 10:25] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/45231

ChangeSet@1.2572, 2008-04-11 10:30:06+02:00, msvensson@pilot.mysql.com +1 -0
  Bug#35986 valgrind warning in DbugParse for empty string in SET GLOBAL DEBUG=""
   - Code in DbugParse was reading from beyond end of the control string
[2 May 12:43] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/46288

ChangeSet@1.2614, 2008-05-02 12:49:31+02:00, msvensson@pilot.mysql.com +1 -0
  Bug#35986 valgrind warning in DbugParse for empty string in SET GLOBAL DEBUG=""
   - Code in DbugParse was reading from beyond end of the control string
[6 May 2:25] Bugs System 
Pushed into 5.0.62
[6 May 2:29] Bugs System 
Pushed into 5.1.25-rc
[6 May 2:32] Bugs System 
Pushed into 6.0.6-alpha
[14 May 4:23] Paul DuBois 
Noted in 5.0.62, 5.1.25, 6.0.6 changelogs.

SET GLOBAL debug='' resulted in a Valgrind warning in DbugParse(),
which was reading beyond the end of the control string.