Description:
Hello

As reported as Debian bug on bugs.debian.org/403721 by  Benoit Plessis
<b.plessis@doyousoft.com> there is a bug in MySQL-5.0.30 that either crash
or freeze connections.

Attached you will find a mysqldump with that creates the t_crash database with all 
tables.

I could reproduce the bug on my amd64 system but not on an i386 one so it's maybe
architecture dependent.

bye,

-christian-

How to repeat:
mysql> SELECT * FROM m LEFT JOIN u ON u.id = m.checked_out GROUP BY m.id ORDER BY m.row,
m.ordering, m.type, m.name LIMIT 0, 30;
ERROR 2013 (HY000): Lost connection to MySQL server during query

If i remove the LIMIT stanza and/or one of the order by everything goes fine.
If i strip the table m to less than 30 line too.

When narrowing the lower subset of entry/sql command i got this one too:

mysql> alter table u drop registerDate;
mysql> SELECT * FROM m LEFT JOIN u ON u.id = m.checked_out GROUP BY m.id ORDER BY m.row,
m.ordering, m.type, m.name LIMIT 0, 30;
...
30 rows in set (0.00 sec)
*** glibc detected *** double free or corruption (!prev): 0x00000000012201e0 ***

Suggested fix:
none

mysqldump of database t_crash

Attachment: crash.sql (text/x-sql), 4.45 KiB.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18361

ChangeSet@1.2385, 2007-01-18 20:10:06+03:00, evgen@moonbone.local +8 -0
  Bug#25172: Not checked buffer size leads to a server crash.
  
  After fix for bug#21798 JOIN stores the pointer to the buffer for sorting
  fields. It is used while sorting for grouping and for ordering. If ORDER BY
  clause has more elements then the GROUP BY clause then a memory overrun occurs.
  
  Now join stores the size of the allocated buffer and allocates new if needed.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18379

ChangeSet@1.2385, 2007-01-18 23:24:40+03:00, evgen@moonbone.local +7 -0
  Bug#25172: Not checked buffer size leads to a server crash.
  
  After fix for bug#21798 JOIN stores the pointer to the buffer for sorting
  fields. It is used while sorting for grouping and for ordering. If ORDER BY
  clause has more elements then the GROUP BY clause then a memory overrun occurs.
  
  
  Now the ORDER BY list is always passed to the make_unireg_sortorder()
  function and it allocates buffer big enough to be used for bigger list.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18443

ChangeSet@1.2385, 2007-01-19 18:34:09+03:00, evgen@moonbone.local +6 -0
  Bug#25172: Not checked buffer size leads to a server crash.
  
  After fix for bug#21798 JOIN stores the pointer to the buffer for sorting
  fields. It is used while sorting for grouping and for ordering. If ORDER BY
  clause has more elements then the GROUP BY clause then a memory overrun occurs.
  
  Now the length of the ORDER BY list is always passed to the 
  make_unireg_sortorder() function and it allocates buffer big enough to be
  used for bigger list.

The fix has been pushed into 5.0.36, 5.1.16-beta main trees.

Thank you for your bug report. This issue has been committed to our source repository of
that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available
version, including the bug fix. More information about accessing the source trees is
available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented bugfix in 5.0.36 and 5.1.16 changelogs.