MySQL Bugs: #59241: invalid memory read in do_div_mod with doubly assigned variables

Bug #59241	invalid memory read in do_div_mod with doubly assigned variables
Submitted:	31 Dec 2010 9:36	Modified:	29 Jan 2011 23:11
Reporter:	Shane Bester (Platinum Quality Contributor)	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: DML	Severity:	S2 (Serious)
Version:	5.6.2, 5.5	OS:	Any
Assigned to:	Tor Didriksen	CPU Architecture:	Any
Tags:	regression

Description:
5.6.2 from mysql-trunk:

Invalid read of size 8
at: do_div_mod (decimal.c:2107)
by: decimal_div (decimal.c:2363)
by: my_decimal_div (my_decimal.h:427)
by: Item_func_int_div::val_int (item_func.cc:1607)
by: Item::send (item.cc:5968)
by: Protocol::send_result_set_row (protocol.cc:848)
by: select_send::send_data (sql_class.cc:1866)
by: JOIN::exec (sql_select.cc:2794)
by: mysql_select (sql_select.cc:3554)
by: handle_select (sql_select.cc:323)
by: execute_sqlcom_select (sql_parse.cc:4513)
by: mysql_execute_command (sql_parse.cc:2096)
by: mysql_parse (sql_parse.cc:5550)
by: dispatch_command(sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)
Address 0xf4bc5d0 is 16 bytes inside a block of size 64 free'd
at: realloc (vg_replace_malloc.c:476)
by: my_realloc (my_malloc.c:101)
by: update_hash (item_func.cc:4342)
by: Item_func_set_user_var::update_hash (item_func.cc:4376)
by: Item_func_set_user_var::update (item_func.cc:4641)
by: Item_func_set_user_var::val_str (item_func.cc:4685)
by: Item_func_set_user_var::check (item_func.cc:4542)
by: Item_func_set_user_var::val_decimal (item_func.cc:4693)
by: Item_func_int_div::val_int(item_func.cc:1603)
by: Item::send (item.cc:5968)
by: Protocol::send_result_set_row (protocol.cc:848)
by: select_send::send_data (sql_class.cc:1866)
by: JOIN::exec (sql_select.cc:2794)
by: mysql_select (sql_select.cc:3554)
by: handle_select (sql_select.cc:323)
by: execute_sqlcom_select (sql_parse.cc:4513)
by: mysql_execute_command (sql_parse.cc:2096)
by: mysql_parse (sql_parse.cc:5550)
by: dispatch_command (sql_parse.cc:1078)
by: do_command (sql_parse.cc:815)
by: do_handle_one_connection (sql_connect.cc:748)
by: handle_one_connection (sql_connect.cc:684)
by: start_thread (pthread_create.c:301)

How to repeat:
#run mysqld in valgrind, then:

select ((@`a`:=@`b`:=ceil(@@session.max_error_count)) div (@`b`:=@`a`:=get_format(datetime,'usa')));

Thank you for the report.

Verified as described.

This issue was introduced by the fix for Bug#8457.

It also exists in 5.5 branch (probably since 5.5.3).
Hence, I guess it it should be retriaged.

triage: change from SR56RC to SR55MRU as exists there as well

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128637

3498 Tor Didriksen	2011-01-13
      Bug #59241 invalid memory read in do_div_mod with doubly assigned variables
      
      Fix: copy my_decimal by value, to avoid dangling pointers.
     @ mysql-test/r/func_math.result
        New test case.
     @ mysql-test/t/func_math.test
        New test case.
     @ sql/item_cmpfunc.cc
        No need to call fix_buffer_pointer() anymore.
     @ sql/item_func.cc
        Copy my_decimal by value, to avoid dangling pointers.
     @ sql/my_decimal.h
        Implement proper copy constructor and assignment operator for my_decimal.
     @ sql/sql_analyse.cc
        No need to call fix_buffer_pointer() anymore.
     @ strings/decimal.c
        Remove #line directive: it messes up TAGS and it confuses gdb when debugging.
     @ unittest/gunit/CMakeLists.txt
        New unit test.
     @ unittest/gunit/my_decimal-t.cc
        Unit test for my_decimal copy constructor and assignment operator.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128702

3242 Tor Didriksen	2011-01-14
      Bug #59241 invalid memory read in do_div_mod with doubly assigned variables
      
      Fix: copy my_decimal by value, to avoid dangling pointers.
     @ mysql-test/r/func_math.result
        New test case.
     @ mysql-test/t/func_math.test
        New test case.
     @ sql/item_cmpfunc.cc
        No need to call fix_buffer_pointer() anymore.
     @ sql/item_func.cc
        Copy my_decimal by value, to avoid dangling pointers.
     @ sql/my_decimal.h
        Implement proper copy constructor and assignment operator for my_decimal.
     @ sql/sql_analyse.cc
        No need to call fix_buffer_pointer() anymore.
     @ strings/decimal.c
        Remove #line directive: it messes up TAGS and it confuses gdb when debugging.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/128703

3504 Tor Didriksen	2011-01-14 [merge]
      Merge Bug #59241 from 5.5
     @ unittest/gunit/CMakeLists.txt
        New unit test.
     @ unittest/gunit/my_decimal-t.cc
        Unit test for my_decimal copy constructor and assignment operator.

pushed to 5.5 and trunk

Pushed into mysql-trunk 5.6.2 (revid:tor.didriksen@oracle.com-20110114092911-2vu7p7obkao0cfiy) (version source revid:tor.didriksen@oracle.com-20110114092911-2vu7p7obkao0cfiy) (merge vers: 5.6.2) (pib:24)

Pushed into mysql-5.5 5.5.9 (revid:tor.didriksen@oracle.com-20110114090514-n2ixo8vof6sqxuih) (version source revid:tor.didriksen@oracle.com-20110114090514-n2ixo8vof6sqxuih) (merge vers: 5.5.9) (pib:24)

Tor, did this fix cause bug #59498 ?

Noted in 5.5.9, 5.6.2 changelogs.

For DIV expressions, assignment of the result to multiple variables
could cause a server crash.

Noted in 5.1.71 changelog.