Bug #21142 Malformed insert causes a segmentation fault.
Submitted: 19 Jul 2006 9:32 Modified: 6 Mar 2007 19:15
Reporter: Morgan Tocker Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:ALL OS:
Assigned to: Ramil Kalimullin CPU Architecture:Any

[19 Jul 2006 9:32] Morgan Tocker
Description:
When inserting a malformed INSERT query, I was able to crash the server.  The insert has to be specially crafted.  If I make just about any change it seems to no longer segfault (very specific about crash).

Verified in 4.0.21, 5.0.22, 5.1.10 against more than one machine/OS/architecture (probably exists in a lot more versions).

How to repeat:
Try running this:

DROP TABLE IF EXISTS `a`;
CREATE TABLE `a` (
  `a` longtext NOT NULL,
  `b` longtext NOT NULL
 ) DEFAULT CHARSET=latin1 ENGINE=MyISAM;

INSERT INTO `a` VALUES (' 
INSERT INTO `a` VALUES ('<?php\r\n\r\($t) {\r\n. "...";	.</p>\r\n\r\n<?php\r\n\r\nfunction shorten_text($text) {\r\n	return substr($text, 0, 75) . "...";	\r\n}\r\n\r\nforeach (get_NNN_for_sale() as $NNN_id => $array) {\r\n/*pict1, thumb, id, make, model, year, status*/\r\n$imgsrc = $array[''thumb''];\r\n$filename = "foo";\r\n$textlink = sprintf("%s %s %s", $array[''year''],\r\n	$array[''make''], $array[''model'']);\r\n\r\nprint "<div style=''float: left; width: 120px''>\r\n<a href=\\"NNN?id=$NNN_id&fake=/v/NNN/$NNN_id/$filename.html\\"><img src=''/uploadedimages/$imgsrc'' width=''100'' height=''75'' border=''0'' alt=''''></a>\r\n</div><div style=''float: left; width: 250px''>\r\n<h3><a href=\\"NNN?id=$NNN_id&fake=$filename.html\\">$textlink</a></h3>";\r\nprint shorten_text($array[''details'']);\r\nprint "</div><div style=''clear: both''></div>";\r\n\r\n/*\r\nif ($array[''status'']=="expectedsoon") {\r\n	print "<font color=''red''>- Expected Soon</font>";\r\n}\r\n*/\r\n\r\n}\r\n?>\r\n<!--break-->');

**Note**
This may not be reproducable from here if the bug system changes line wrappings.  In this case, see attached file instead.
[19 Jul 2006 9:34] Morgan Tocker
steps to reproduce

Attachment: segfault-bug.sql (text/x-sql), 1.15 KiB.

[19 Jul 2006 10:02] Sveta Smirnova
Verified on Linux using 5.0 and 5.1 BK, but with exception: there is segmentation fault of client, not server.

Below is log:
ssmirnova@shella ~/mysql5.0b
$libexec/mysqld --defaults-file=support-files/my-small.cnf --skip-networking --basedir=. -ussmirnova --datadir=./data &
[1] 20367

ssmirnova@shella ~/mysql5.0b
$060719 12:00:54  InnoDB: Started; log sequence number 0 3316283
060719 12:00:54 [Note] libexec/mysqld: ready for connections.
Version: '5.0.25'  socket: '/tmp/mysql.sock'  port: 0  Source distribution

ssmirnova@shella ~/mysql5.0b
$ps -ef | grep mysql
10149    20367 19746  0 12:00 pts/19   00:00:00 libexec/mysqld --defaults-file=support-files/my-small.cnf --skip-networking --basedir=. -ussmirnova --datadir=./data

ssmirnova@shella ~/mysql5.0b
$bin/mysql --socket=/tmp/mysql.sock -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.25

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> source ../mysql5.1b/bug21142.sql
Query OK, 0 rows affected, 1 warning (0.00 sec)

Query OK, 0 rows affected (0.13 sec)

Segmentation fault

ssmirnova@shella ~/mysql5.0b
$ps -ef | grep mysql
10149    20367 19746  0 12:00 pts/19   00:00:00 libexec/mysqld --defaults-file=support-files/my-small.cnf --skip-networking --basedir=. -ussmirnova --datadir=./data
[29 Aug 2006 9:35] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10989

ChangeSet@1.2538, 2006-08-29 14:38:02+05:00, ramil@mysql.com +1 -0
  Fix for bug #21142: Malformed insert causes a segmentation fault.
    - possible stack overflow fixed.
[13 Sep 2006 9:50] Timothy Smith
Thank you, Ramil.  Looks fine.
[3 Oct 2006 20:02] Chad MILLER
Available in 5.0.26.
[3 Oct 2006 20:15] Chad MILLER
Available in 5.1.12-beta.
[4 Oct 2006 1:58] Paul Dubois
Noted in 5.0.26, 5.1.12 changelogs.

Certain malformed INSERT statements could crash the mysql client.
[4 Oct 2006 13:56] Chad MILLER
Available in 4.1.22.
[6 Mar 2007 17:54] Sergei Golubchik
The fix didn't make into 5.0.26, it was first in 5.0.30
[6 Mar 2007 19:15] Paul Dubois
Moved 5.0.26 changelog entry to 5.0.30.
Added entry to 4.1.22.