Bug #37150 Risk for crash in User_var_log_event::exec_event()
Submitted: 3 Jun 2008 6:39 Modified: 23 Jul 2008 17:57
Reporter: Mats Kindahl Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Replication Severity:S2 (Serious)
Version:5.0.44 OS:Any
Assigned to: Mats Kindahl CPU Architecture:Any

[3 Jun 2008 6:39] Mats Kindahl 
Description:
Inside User_var_log_event::exec_event(), there is the following sequence of calls:

  Item_func_set_user_var e(user_var_name, it);
  e.fix_fields(thd, 0);
  e.update_hash(val, val_len, type, charset, DERIVATION_IMPLICIT, 0);

In the event that fix_fields() fails with a certain set of errors (e.g., out of memory), a call to update_hash() will try to de-reference a NULL pointer, hence cause a crash.

How to repeat:
Read the code

Suggested fix:
Add a guard so that update_hash() is not called if fix_fields() fail.
[7 Jul 2008 7:58] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/49062

2642 Mats Kindahl	2008-07-07
      Bug #37150  	Risk for crash in User_var_log_event::exec_event()
      
      On certain kinds of errors (e.g., out of stack), a call to Item_func_
      set_user_var::fix_fields() might fail.  Since the return value of this
      call was not checked inside User_var_log_event::exec_event(), continuing
      execution after this will cause a crash inside Item_func_set_user_var::
      update_hash().
      
      The bug is fixed by aborting execution of the event with an error if
      fix_fields() fails, since it is not possible to continue execution anyway.
[9 Jul 2008 12:40] Georgi Kodinov 
Pushed into 5.0.66
[23 Jul 2008 9:13] Georgi Kodinov 
pushed into 5.1.28 and 6.0.7-alpha
[23 Jul 2008 17:57] Jon Stephens 
Documented bugfix in the 5.0.66, 5.1.28, and 6.0.7 changelogs as follows:

        Some kinds of internal errors (such as Out of stack) caused the server to 
        crash.
[28 Jul 2008 13:47] Bugs System 
Pushed into 5.0.68  (revid:kpettersson@mysql.com-20080715152926-s5kgnqhtu93b3c8v) (pib:2)
(Retry automatic marking, to ensure nothing is missed. cm01)
[28 Jul 2008 16:47] Bugs System 
Pushed into 5.1.28  (revid:joerg@mysql.com-20080714105031-88hmr2baz5di9xej) (version source revid:joerg@mysql.com-20080714105031-88hmr2baz5di9xej) (pib:3)
[15 Aug 2008 13:06] Mats Kindahl 
Documentation should probably be "certain internal errors, such as out of memory errors, could cause server to crash when replicating statements with user variables."

It was observed when reading the code, we didn't have a live case.