Bug #19216 Client crashes on long SELECT
Submitted: 20 Apr 2006 11:52 Modified: 28 Nov 2006 20:36
Reporter: Victoria Reznichenko Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:4.1, 5.0 OS:Any (any)
Assigned to: Georgi Kodinov CPU Architecture:Any

[20 Apr 2006 11:52] Victoria Reznichenko 
Description:
If I run long SELECT mysql command-line crashes:

[vita@vita mysql-4.1]# ./bin/mysql -uvita < /tmp/q.sql
Error: Memory allocated at my_alloc.c:194 was overrun, discovered at 'my_alloc.c:194'
Error: Memory allocated at :140647608 was underrun, discovered at my_alloc.c:194
Error: Memory allocated at :140647608 was overrun, discovered at 'my_alloc.c:194'
Segmentation fault

SELECT looks like SELECT 'a', 'b', 'c', 'd', .. <other dummy chars>;

[vita@vita mysql-4.1]# ls -ls /tmp/q.sql
980 -rw-r--r-- 1 vita vita 998541 Apr 20 06:33 /tmp/q.sql

How to repeat:
Run SELECT from uploaded file.
[20 Apr 2006 11:52] MySQL Verification Team 
select

Attachment: q.zip (application/zip, text), 4.85 KiB.
[1 Nov 2006 11:00] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/14658

ChangeSet@1.2536, 2006-11-01 12:59:25+02:00, gkodinov@macbook.gmz +4 -0
  Bug #19216: Client crashes on long SELECT
   When sending column info the server was using a limited
   function not capable of sending more than 2 byte int
   to send the column count that is sent in front of the 
   column data.
   The client was allocating a block large enough to hold
   as many columns as the count is and then was storing
   all the columns in a sequence without checking if the 
   allocated block is large enough to hold them.
   Fixed the server to send correctly column counts
   larger than 64k.
   Fixed the client to count the incoming columns first
   and then allocate enough space to accommodate them all.
[10 Nov 2006 20:08] Konstantin Osipov 
Approved by email with several comments.
[13 Nov 2006 10:29] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/15209

ChangeSet@1.2536, 2006-11-13 12:28:55+02:00, gkodinov@macbook.gmz +4 -0
  Bug #19216: Client crashes on long SELECT
   The server sends a number of columns to the client.
   It uses a limited "fast" function for that instead of the
   general one. This fast function cannot send numbers larger 
   than 2 bytes. 
   This causes the client to expect smaller number of columns. 
   The client writes outside of the allocated memory buffer 
   as a result.
   Fixed the server to use the general function to send column
   count.
   Fixed the client to check the column count before writing
   column data.
[27 Nov 2006 17:10] Georgi Kodinov 
Pushed in 4.1.23/5.0.32/5.1.14-beta
[28 Nov 2006 20:36] Paul DuBois 
Noted in 4.1.23, 5.0.32, 5.1.14 changelogs.