Bug #31019 MOD() Function and Operator Crashes MySQL when Divisor is Very Long and < 1
Submitted: 14 Sep 2007 4:39 Modified: 5 Nov 2007 3:18
Reporter: Chad Maynard Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:5.0.45 OS:Microsoft Windows
Assigned to: Gleb Shchepa
Tags: mod, modulus

[14 Sep 2007 4:39] Chad Maynard
Description:
If you use MOD(m,n) or m % n and n is less than one and extremely long MySQL chokes on it and the service stops. I tested this myself 5.0.27-community-nt as well as 5.1.something (It will not restart since I crashed it and I don't remember the exact version). I also tried this on several different 4.1, 5.0 and 5.1 versions on Linux; these versions did *not* have the same issue.

How to repeat:
mysql> select 1 % .1234567891234567891234567891234567891234567891234567891234567
89123456789123456789;
***(About ten seconds elapses)
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>

Now MySQL service is no longer running.
[14 Sep 2007 4:54] Valerii Kravchuk
Thank you for a bug report. Verified just as described with 5.0.44 on Windows. Note that 5.1.21 has no similar crash:

C:\Program Files\MySQL\MySQL Server 5.1\bin>mysql -T -uroot -proot test -P3310
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.1.21-beta-community-debug MySQL Community Server - Debug (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select 1 % .1234567891234567891234567891234567891234567891234567891234567
89123456789123456789;
+-------------------------------------------------------------------------------
---------+
| 1 % .1234567891234567891234567891234567891234567891234567891234567891234567891
23456789 |
+-------------------------------------------------------------------------------
---------+
|    0.0123456870123456870123456870123456870123456870123456870123456870123456870
00000000 |
+-------------------------------------------------------------------------------
---------+
1 row in set (0.25 sec)
[7 Oct 2007 22:47] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/35067

ChangeSet@1.2551, 2007-10-08 03:48:59+05:00, gshchepa@gleb.loc +3 -0
  Fixed bug #31019: the MOD() function and the % operator crash the server
  when a divisor is less than 1 and its fractional part is very long.
  For example:
  1 % .123456789123456789123456789123456789123456789123456789123456789123456789123456789;
  
  Stack buffer overflow has been fixed in the do_div_mod function.
[11 Oct 2007 17:34] Shane Bester
5.1.22-rc was affected too:

Version: '5.1.22-rc-community-debug'  socket: ''  port: 3306  MySQL Community Server - Debug (GPL)
Error:Run-Time Check Failure #2 - Stack around the variable 'decimal_value' was corrupted. At :0
[29 Oct 2007 8:42] Bugs System
Pushed into 5.0.52
[29 Oct 2007 8:46] Bugs System
Pushed into 5.1.23-beta
[29 Oct 2007 8:49] Bugs System
Pushed into 6.0.4-alpha
[5 Nov 2007 3:18] Paul Dubois
Noted in 5.0.52, 5.1.23, 6.0.4 changelogs.

The MOD() function and the % operator crashed the server for a 
divisor less than 1 with a very long fractional part.