Bug #29166 MYsql crash when query is run
Submitted: 18 Jun 2007 4:51 Modified: 9 Jul 2007 3:04
Reporter: Matt Fraser
Status: Closed
Category:Server: General Severity:S2 (Serious)
Version:5.0.18 OS:Linux
Assigned to: Georgi Kodinov Target Version:

[18 Jun 2007 4:51] Matt Fraser 
Description:
MYsql server crashes every time I run the following query:

Select astext(geometry) from geometry where astext(geometry) like '%POLY%';

How to repeat:
1)Restore the attached file to (geotable.zip)
2) Run the following query in the query browser:

Select astext(geometry) from geometry where astext(geometry) like '%POLY%';

3) MYSQL Crashes

Suggested fix:
Stop the crash
[18 Jun 2007 7:54] Valeriy Kravchuk 
Thank you for a problem report. Sorry, but there is no geotable.zip file attached. Please,
check. Also try to repeat with a newer version of MySQL server, 5.0.41.
[18 Jun 2007 13:04] Matt Fraser 
I've uploaded bug-data-29166.zip to the ftp site. Please retry.
[18 Jun 2007 13:04] Matt Fraser 
Please see last comment...bug-data-29166.zip is intended to replace geotable.zip in the
original comments
[18 Jun 2007 14:16] Miguel Solorzano 
Thank you for the bug report. Verified on Linux too.

[New Thread -1263600752 (LWP 9739)]
070618  8:56:15 [Note] /home/miguel/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.44-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
[New Thread -1263801456 (LWP 9811)]
Error: Memory allocated at sql_string.cc:82 was overrun, discovered at 'sql_string.h:189'
*** glibc detected *** /home/miguel/dbs/5.0/libexec/mysqld: double free or corruption
(!prev): 0x0a07ea48 ***
======= Backtrace: =========
/lib/libc.so.6[0x97909d]
/lib/libc.so.6(cfree+0x90)[0x97c6f0]
/home/miguel/dbs/5.0/libexec/mysqld(_myfree+0x26a)[0x8574587]
/home/miguel/dbs/5.0/libexec/mysqld(_ZN6String4freeEv+0x47)[0x817b431]
/home/miguel/dbs/5.0/libexec/mysqld(_ZN6StringD1Ev+0x11)[0x817b46d]
/home/miguel/dbs/5.0/libexec/mysqld(_ZN11select_send9send_dataER4ListI4ItemE+0x262)[0x820f
58c]
/home/miguel/dbs/5.0/libexec/mysqld[0x828212e]
/home/miguel/dbs/5.0/libexec/mysqld[0x82881ee]
/home/miguel/dbs/5.0/libexec/mysqld(_Z10sub_selectP4JOINP13st_join_tableb+0x15e)[0x8288420
]
/home/miguel/dbs/5.0/libexec/mysqld[0x829039b]
/home/miguel/dbs/5.0/libexec/mysqld(_ZN4JOIN4execEv+0x1fb7)[0x82a6103]
<cut>

The version 5.1BK presented the below error in the create table:

mysql> CREATE TABLE `geometry` (
    ->   `id` int(10) unsigned NOT NULL auto_increment,
    ->   `geometry` geometry NOT NULL default '',
    ->   `type` varchar(15) NOT NULL default '',
    ->   PRIMARY KEY  (`id`),
    ->   SPATIAL KEY `Index_spat` (`geometry`(32))
    -> ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
ERROR 1089 (HY000): Incorrect sub part key; the used key part isn't a string, the used
length is longer than the key part, or the storage engine doesn't support unique sub keys
mysql>
[5 Jul 2007 17:25] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30384

ChangeSet@1.2518, 2007-07-05 18:24:48+03:00, gkodinov@magare.gmz +3 -0
  Bug #29166: 
  AsText() needs to know the maximum number of
  characters a IEEE double precision value can
  occupy to make sure there's enough buffer space.
  The number was too small to hold all possible
  values and this caused buffer overruns.
  Fixed by correcting the calculation of the 
  maximum digits in a string representation of an
  IEEE double precision value as printed by 
  String::qs_append(double).
[8 Jul 2007 19:28] Bugs System 
Pushed into 5.1.21-beta
[8 Jul 2007 19:30] Bugs System 
Pushed into 5.0.46
[9 Jul 2007 3:04] Paul DuBois 
Noted in 5.0.46, 5.1.21 changelogs.

AsText() could fail with a buffer overrun.