Bug #21288 mysqldump segmentation fault when using --where
Submitted: 26 Jul 2006 5:33 Modified: 4 Sep 2006 22:01
Reporter: Lachlan Mulcahy Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: mysqldump Command-line Client Severity:S3 (Non-critical)
Version:4.1.20 OS:Any (Any)
Assigned to: Jim Winstead CPU Architecture:Any

[26 Jul 2006 5:33] Lachlan Mulcahy
Description:
Issuing a particular invalid --where parameter to mysqldump will cause it to Segmentation Fault after returning an error instead of exiting cleanly. It seems to be sensitive to the length of the second string of x's.

Removing one of the x's in the second set will avoid the segfault.

I'm not sure if this has any impact on legitimate WHERE parameters or not.

I have had this reported on RedHat FC4 w/ SELinux and have been able to reproduce it on Mac OSX so it seemingly affects at least any Unix-based system.

How to repeat:
In the test database:

CREATE TABLE t1 (a INT);

On the command-line:

mysqldump -u root test t1 --where='xx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

Here is the output:

-- MySQL dump 10.9
--
-- Host: localhost    Database: test
-- ------------------------------------------------------
-- Server version       4.1.20-debug

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `t1`
--

DROP TABLE IF EXISTS `t1`;
CREATE TABLE `t1` (
  `a` int(11) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

--
-- Dumping data for table `t1`
--
-- WHERE:  xx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

mysqldump: mysqldump: Couldn't execute 'SELECT /*!40001 SQL_NO_CACHE */ * FROM `t1` WHERE xx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx': You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' at line 1 (1064)
Segmentation fault

Suggested fix:
Unknown.
[26 Jul 2006 5:47] Lachlan Mulcahy
I should add that users running SELinux will not get to see any error message and instead SELinux will kill the mysqldump process with a "buffer overflow detected" message and print a stack dump.
[17 Aug 2006 20:59] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10603

ChangeSet@1.2538, 2006-08-17 14:09:24-07:00, jimw@rama.(none) +3 -0
  Bug #21288: mysqldump segmentation fault when using --where
  
    The problem was that the error handling was using a too-small buffer to
    print the error message generated. We fix this by not using a buffer at
    all, but by using fprintf() directly. There were also some problems with
    the error handling in table dumping that was exposed by this fix that were
    also corrected.
[21 Aug 2006 19:11] Chad MILLER
Patch 10603 looks good to me.
[1 Sep 2006 4:12] Jim Winstead
Pushed into mysql-4.1-maint, mysql-5.0-maint, and mysql-5.1-new-maint.
[1 Sep 2006 11:01] Magnus BlÄudd
Pushed to 4.1.22
[2 Sep 2006 9:31] Timothy Smith
Merged to 5.0 (will be in 5.0.25)

TODO: merge to 5.1
[4 Sep 2006 22:01] Paul Dubois
Test case change. No changelog entry needed.
[13 Sep 2006 8:47] Timothy Smith
Pushed to 5.1.12