Description:
I managed to generate a syntactically incorrect query from PHP. I know that the query is wrong, and I've fixed it, but I managed to hit some bug, which causes a SIGSEGV.
The stack trace for this is:
0x80bbfcd handle_segfault + 621
0x82f28ba __pthread_sighandler + 122
0x80e6fe3 _Z7yyparsePv + 66099
0x80d3f2a _Z11mysql_parseP3THDPcj + 106
0x80cd412 _Z16dispatch_command19enum_server_commandP3THDPcj + 3586
0x80cc595 _Z10do_commandP3THD + 117
0x80cbcce handle_one_connection + 702
0x82ee1ed pthread_start_thread + 205
0x832be87 clone + 103
How to repeat:
Run the following query, in any database (since the crash is in the parser you don't need even to have any of the tables).
select mail_id,
if(folder.f_description!='', folder.f_description, folder.f_name)
as folder_name,
date,
address_id,
phrase,
address,
subject
from folder,
(select mail.mail_id as mail_id,
date_format(mail.h_date, '%b %e, %Y %h:%i') as date,
mail.folder_id,
sender.address_id as address_id,
sender.phrase as phrase,
sender.address as address,
mail.h_subject as subject
from mail
left join mxa as mxa_sender on mail.mail_id=mxa_sender.mail_id and
mxa_sender.type='from'
left join address as sender on mxa_sender.address_id=sender.address_id
mxa as mxa_recipient,
address as recipient,
where 1
and mail.mail_id=mxa_recipient.mail_id
and mxa_recipient.address_id=recipient.address_id
and mxa_recipient.type='to'
and match(sender.phrase, sender.address, sender.comment) against
('jeremy' in boolean mode)
and match(recipient.phrase, recipient.address, recipient.comment)
against ('monty' in boolean mode)
order by mail.h_date desc
limit 0, 25
) as query where query.folder_id=folder.folder_id
Suggested fix:
Fix the parser. :)
Description: I managed to generate a syntactically incorrect query from PHP. I know that the query is wrong, and I've fixed it, but I managed to hit some bug, which causes a SIGSEGV. The stack trace for this is: 0x80bbfcd handle_segfault + 621 0x82f28ba __pthread_sighandler + 122 0x80e6fe3 _Z7yyparsePv + 66099 0x80d3f2a _Z11mysql_parseP3THDPcj + 106 0x80cd412 _Z16dispatch_command19enum_server_commandP3THDPcj + 3586 0x80cc595 _Z10do_commandP3THD + 117 0x80cbcce handle_one_connection + 702 0x82ee1ed pthread_start_thread + 205 0x832be87 clone + 103 How to repeat: Run the following query, in any database (since the crash is in the parser you don't need even to have any of the tables). select mail_id, if(folder.f_description!='', folder.f_description, folder.f_name) as folder_name, date, address_id, phrase, address, subject from folder, (select mail.mail_id as mail_id, date_format(mail.h_date, '%b %e, %Y %h:%i') as date, mail.folder_id, sender.address_id as address_id, sender.phrase as phrase, sender.address as address, mail.h_subject as subject from mail left join mxa as mxa_sender on mail.mail_id=mxa_sender.mail_id and mxa_sender.type='from' left join address as sender on mxa_sender.address_id=sender.address_id mxa as mxa_recipient, address as recipient, where 1 and mail.mail_id=mxa_recipient.mail_id and mxa_recipient.address_id=recipient.address_id and mxa_recipient.type='to' and match(sender.phrase, sender.address, sender.comment) against ('jeremy' in boolean mode) and match(recipient.phrase, recipient.address, recipient.comment) against ('monty' in boolean mode) order by mail.h_date desc limit 0, 25 ) as query where query.folder_id=folder.folder_id Suggested fix: Fix the parser. :)