MySQL Bugs: #44684: valgrind reports invalid reads in Item_func_spatial_collection::val

Bug #44684	valgrind reports invalid reads in Item_func_spatial_collection::val_str
Submitted:	6 May 2009 7:54	Modified:	17 Jul 2009 2:49
Reporter:	Shane Bester (Platinum Quality Contributor)	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: GIS	Severity:	S3 (Non-critical)
Version:	5.1.35	OS:	Linux
Assigned to:	Martin Hansson	CPU Architecture:	Any
Tags:	regression, valgrind

Description:
2 errors in context 1 of 6:
 Conditional jump or move depends on uninitialised value(s)
at: Item_func_spatial_collection::val_str(String*) (item_geofunc.cc:429)
by: Item::save_in_field(Field*, bool) (item.cc:4892)
by: fill_record(THD*, Field**, List<Item>&, bool) (sql_base.cc:8203)
by: select_union::send_data(List<Item>&) (sql_union.cc:60)
by: JOIN::exec() (sql_select.cc:1688)
by: mysql_select
by: handle_select
by: execute_sqlcom_select
by: mysql_execute_command
by: mysql_open_cursor
by: Prepared_statement::execute
by: Prepared_statement::execute_loop
 
 2 errors in context 2 of 6:
 Invalid read of size 4
at: Item_func_spatial_collection::val_str(String*) (item_geofunc.cc:429)
by: Item::save_in_field(Field*, bool) (item.cc:4892)
by: fill_record(THD*, Field**, List<Item>&, bool) (sql_base.cc:8203)
by: select_union::send_data(List<Item>&) (sql_union.cc:60)
by: JOIN::exec() (sql_select.cc:1688)
by: mysql_select
by: handle_select
by: execute_sqlcom_select
by: mysql_execute_command
by: mysql_open_cursor
by: Prepared_statement::execute
by: Prepared_statement::execute_loop

  Address 0x7BAB635 is 5 bytes inside a block of size 8 alloc'd
  
at: malloc (vg_replace_malloc.c:149)
by: my_malloc (my_malloc.c:34)
by: String::real_alloc(unsigned) (sql_string.cc:51)
by: String::copy (sql_string.h:202)
by: String::copy (sql_string.cc:334)
by: Item_param::set_str(char const*, unsigned long) (item.cc:2699)
by: set_param_str (sql_prepare.cc:593)
by: insert_params (sql_prepare.cc:806)
by: Prepared_statement::set_parameters (sql_prepare.cc:3153)
by: Prepared_statement::execute_loop (sql_prepare.cc:3212)
by: mysql_stmt_execute(sql_prepare.cc:2462)
by: dispatch_command

How to repeat:
testcase will come later.

full stack trace of the error

Attachment: bug44684_full_5.1.35_valgrind.txt (text/plain), 4.05 KiB.

testcase
--------
Run mysqld under valgrind and watch for warnings from the testcase:

prepare stmt from "select linestring(?,'')";
set @a='11111';
execute stmt using @a;
deallocate prepare stmt;

didn't affect 5.0.82 or 5.1.32.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76038

2931 Martin Hansson	2009-06-10
      Bug#44684: valgrind reports invalid reads in 
      Item_func_spatial_collection::val_str
      
      When the concatenation function for geometry data collection
      reads the binary data it expects a 4 byte type code, but if the
      length of the data is between 0 and 4
     @ mysql-test/r/gis.result
        Bug#44684: Test result.
     @ mysql-test/t/gis.test
        Bug#44684: Test case. Gives valgrind errors.
     @ sql/item_geofunc.cc
        Bug#44684: Fix: extra check.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76040

2931 Martin Hansson	2009-06-10
      Bug#44684: valgrind reports invalid reads in 
      Item_func_spatial_collection::val_str
        
      When the concatenation function for geometry data collections
      reads the binary data it expects a 4 byte type code right after the
      header bytes, but if the length of the data beyond these is between
      0 and 4, we read from unallocated memory.
      Fixed by checking that there is at least 4 bytes of data allocated
      for the type code.
     @ mysql-test/r/gis.result
        Bug#44684: Test result
     @ mysql-test/t/gis.test
        Bug#44684: Test case
     @ sql/item_geofunc.cc
        Bug#44684: Fix.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76397

2931 Martin Hansson	2009-06-16
      Bug#44684: valgrind reports invalid reads in 
      Item_func_spatial_collection::val_str
              
      When the concatenation function for geometry data collections
      reads the binary data it was not rigorous in checking that there
      is data available, leading to invalid reads and crashes.
      Fixed by making checking stricter.
     @ mysql-test/r/gis.result
        Bug#44684: Test result
     @ mysql-test/t/gis.test
        Bug#44684: Test case
     @ sql/item_geofunc.cc
        Bug#44684: fix(es)
        - Check that there are 4 bytes available for type code.
        - Check that there is at least one point available for linestring.
        - Check that there are at least 2 points in a polygon and
          data for all the points.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76475

2931 Martin Hansson	2009-06-17
      Bug#44684: valgrind reports invalid reads in 
      Item_func_spatial_collection::val_str
              
      When the concatenation function for geometry data collections
      reads the binary data it was not rigorous in checking that there
      is data available, leading to invalid reads and crashes.
      Fixed by making checking stricter.
     @ mysql-test/r/gis.result
        Bug#44684: Test result
     @ mysql-test/t/gis.test
        Bug#44684: Test case
     @ sql/item_geofunc.cc
        Bug#44684: fix(es)
        - Check that there are 4 bytes available for type code.
        - Check that there is at least one point available for linestring.
        - Check that there are at least 2 points in a polygon and
          data for all the points.

Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source revid:mhansson@mysql.com-20090617153453-teigzx25qzxfdb59) (merge vers: 5.1.36) (pib:11)

Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source revid:mhansson@mysql.com-20090617153453-teigzx25qzxfdb59) (merge vers: 5.1.36) (pib:11)

Pushed into 5.4.4-alpha (revid:anozdrin@bk-internal.mysql.com-20090710111017-bnh2cau84ug1hvei) (version source revid:kristofer.pettersson@sun.com-20090617180427-zxqutdhvhzdhoa8s) (merge vers: 5.4.4-alpha) (pib:11)

Noted in 5.1.37, 5.4.4 changelogs.

when reading binary data, the concatenation function for geometry
data collections did not rigorously check for available data, leading
to invalid reads and server crashes.

Noted in 5.4.2 changelog because next 5.4 version will be 5.4.2 and not 5.4.4.

Ignore previous comment about 5.4.2.

Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)

Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)

Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)

Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)

The 5.4 fix has been pushed to 5.4.2.