Bug #24630 Subselect query crashes mysqld
Submitted: 27 Nov 2006 19:03 Modified: 22 Feb 2007 14:56
Reporter: Oren Isacson Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.27/5.0BK/5.1BK OS:Microsoft Windows (Windows/Linux)
Assigned to: Sergey Glukhov
Tags: Q1

[27 Nov 2006 19:03] Oren Isacson
Description:
select 1 from information_schema.tables  where "CHARACTER_SETS"=(select cast(table_name as char)  from information_schema.tables 
 order by table_name limit 1);

On windows, the error message is:
The instruction at "0x00414780" referenced memory at "0x00000018". The memory could not be "read". 

On Linux the server crashes too.

The server also crashes with other similar queries.

How to repeat:
See description

Suggested fix:
The problem goes away after changing the line 276 from filesort.cpp to
if (outfile && my_b_inited(outfile))
and recompiling. After that, the server returns the expected results.
[27 Nov 2006 20:59] Miguel Solorzano
Thank you for the bug report.

miguel@hegel:~/dbs/5.0> bin/mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.32-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select 1 from information_schema.tables  where "CHARACTER_SETS"=(select
    -> cast(table_name as char)  from information_schema.tables 
    ->  order by table_name limit 1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 

miguel@hegel:~/dbs/5.1> bin/mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.1.14-beta-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select 1 from information_schema.tables  where "CHARACTER_SETS"=(select
    -> cast(table_name as char)  from information_schema.tables 
    ->  order by table_name limit 1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
[7 Dec 2006 14:14] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/16589

ChangeSet@1.2326, 2006-12-07 19:25:21+04:00, gluh@mysql.com +6 -0
  Bug#24630 Subselect query crashes mysqld
  The crash happens because second filling of the same I_S table happens in
  case of subselect with order by. table->sort.io_cache previously allocated
  in create_sort_index() is deleted during second filling
  (function get_schema_tables_result). There are two places where
  I_S table can be filled: JOIN::exec and create_sort_index().
  To fix the bug we should check if the table was already filled
  in one of these places and skip processing of the table in second.
[12 Feb 2007 12:09] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/19685

ChangeSet@1.2412, 2007-02-12 16:06:14+04:00, gluh@mysql.com +7 -0
  Bug#24630 Subselect query crashes mysqld
  The crash happens because second filling of the same I_S table happens in
  case of subselect with order by. table->sort.io_cache previously allocated
  in create_sort_index() is deleted during second filling
  (function get_schema_tables_result). There are two places where
  I_S table can be filled: JOIN::exec and create_sort_index().
  To fix the bug we should check if the table was already filled
  in one of these places and skip processing of the table in second.
[14 Feb 2007 10:39] Igor Babaev
The fix has been pushed into 5.0.36 and 5.1.16-beta.
[22 Feb 2007 14:56] Paul Dubois
Noted in 5.0.36, 5.1.16 changelogs.

Using an INFORMATION_SCHEMA table with ORDER BY in a subquery could
cause a server crash.
[15 Mar 2007 13:28] Paul Dubois
Elevated changelog entry to security fix, added CVE number.