Bug #25172 | Server crash with GROUP and LIMIT | ||
---|---|---|---|
Submitted: | 19 Dec 2006 11:28 | Modified: | 1 Feb 2007 1:51 |
Reporter: | Christian Hammers (Silver Quality Contributor) (OCA) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server | Severity: | S2 (Serious) |
Version: | 5.0.30 Enterprise | OS: | Linux (Debian GNU/Linux etch) |
Assigned to: | Evgeny Potemkin | CPU Architecture: | Any |
[19 Dec 2006 11:28]
Christian Hammers
[19 Dec 2006 11:29]
Christian Hammers
mysqldump of database t_crash
Attachment: crash.sql (text/x-sql), 4.45 KiB.
[18 Jan 2007 17:10]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/18361 ChangeSet@1.2385, 2007-01-18 20:10:06+03:00, evgen@moonbone.local +8 -0 Bug#25172: Not checked buffer size leads to a server crash. After fix for bug#21798 JOIN stores the pointer to the buffer for sorting fields. It is used while sorting for grouping and for ordering. If ORDER BY clause has more elements then the GROUP BY clause then a memory overrun occurs. Now join stores the size of the allocated buffer and allocates new if needed.
[18 Jan 2007 20:25]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/18379 ChangeSet@1.2385, 2007-01-18 23:24:40+03:00, evgen@moonbone.local +7 -0 Bug#25172: Not checked buffer size leads to a server crash. After fix for bug#21798 JOIN stores the pointer to the buffer for sorting fields. It is used while sorting for grouping and for ordering. If ORDER BY clause has more elements then the GROUP BY clause then a memory overrun occurs. Now the ORDER BY list is always passed to the make_unireg_sortorder() function and it allocates buffer big enough to be used for bigger list.
[19 Jan 2007 15:35]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/18443 ChangeSet@1.2385, 2007-01-19 18:34:09+03:00, evgen@moonbone.local +6 -0 Bug#25172: Not checked buffer size leads to a server crash. After fix for bug#21798 JOIN stores the pointer to the buffer for sorting fields. It is used while sorting for grouping and for ordering. If ORDER BY clause has more elements then the GROUP BY clause then a memory overrun occurs. Now the length of the ORDER BY list is always passed to the make_unireg_sortorder() function and it allocates buffer big enough to be used for bigger list.
[28 Jan 2007 2:22]
Igor Babaev
The fix has been pushed into 5.0.36, 5.1.16-beta main trees.
[1 Feb 2007 1:51]
Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release. If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at http://dev.mysql.com/doc/en/installing-source.html Documented bugfix in 5.0.36 and 5.1.16 changelogs.