Bug #44684 valgrind reports invalid reads in Item_func_spatial_collection::val_str
Submitted: 6 May 2009 7:54 Modified: 17 Jul 2009 2:49
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: GIS Severity:S3 (Non-critical)
Version:5.1.35 OS:Linux
Assigned to: Martin Hansson CPU Architecture:Any
Tags: regression, valgrind
Triage: Triaged: D2 (Serious)

[6 May 2009 7:54] Shane Bester
Description:
2 errors in context 1 of 6:
 Conditional jump or move depends on uninitialised value(s)
at: Item_func_spatial_collection::val_str(String*) (item_geofunc.cc:429)
by: Item::save_in_field(Field*, bool) (item.cc:4892)
by: fill_record(THD*, Field**, List<Item>&, bool) (sql_base.cc:8203)
by: select_union::send_data(List<Item>&) (sql_union.cc:60)
by: JOIN::exec() (sql_select.cc:1688)
by: mysql_select
by: handle_select
by: execute_sqlcom_select
by: mysql_execute_command
by: mysql_open_cursor
by: Prepared_statement::execute
by: Prepared_statement::execute_loop
 
 2 errors in context 2 of 6:
 Invalid read of size 4
at: Item_func_spatial_collection::val_str(String*) (item_geofunc.cc:429)
by: Item::save_in_field(Field*, bool) (item.cc:4892)
by: fill_record(THD*, Field**, List<Item>&, bool) (sql_base.cc:8203)
by: select_union::send_data(List<Item>&) (sql_union.cc:60)
by: JOIN::exec() (sql_select.cc:1688)
by: mysql_select
by: handle_select
by: execute_sqlcom_select
by: mysql_execute_command
by: mysql_open_cursor
by: Prepared_statement::execute
by: Prepared_statement::execute_loop

  Address 0x7BAB635 is 5 bytes inside a block of size 8 alloc'd
  
at: malloc (vg_replace_malloc.c:149)
by: my_malloc (my_malloc.c:34)
by: String::real_alloc(unsigned) (sql_string.cc:51)
by: String::copy (sql_string.h:202)
by: String::copy (sql_string.cc:334)
by: Item_param::set_str(char const*, unsigned long) (item.cc:2699)
by: set_param_str (sql_prepare.cc:593)
by: insert_params (sql_prepare.cc:806)
by: Prepared_statement::set_parameters (sql_prepare.cc:3153)
by: Prepared_statement::execute_loop (sql_prepare.cc:3212)
by: mysql_stmt_execute(sql_prepare.cc:2462)
by: dispatch_command

How to repeat:
testcase will come later.
[6 May 2009 7:56] Shane Bester
full stack trace of the error

Attachment: bug44684_full_5.1.35_valgrind.txt (text/plain), 4.05 KiB.

[9 May 2009 19:38] Shane Bester
testcase
--------
Run mysqld under valgrind and watch for warnings from the testcase:

prepare stmt from "select linestring(?,'')";
set @a='11111';
execute stmt using @a;
deallocate prepare stmt;
[9 May 2009 19:40] Shane Bester
didn't affect 5.0.82 or 5.1.32.
[10 Jun 2009 14:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76038

2931 Martin Hansson	2009-06-10
      Bug#44684: valgrind reports invalid reads in 
      Item_func_spatial_collection::val_str
      
      When the concatenation function for geometry data collection
      reads the binary data it expects a 4 byte type code, but if the
      length of the data is between 0 and 4
     @ mysql-test/r/gis.result
        Bug#44684: Test result.
     @ mysql-test/t/gis.test
        Bug#44684: Test case. Gives valgrind errors.
     @ sql/item_geofunc.cc
        Bug#44684: Fix: extra check.
[10 Jun 2009 15:03] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76040

2931 Martin Hansson	2009-06-10
      Bug#44684: valgrind reports invalid reads in 
      Item_func_spatial_collection::val_str
        
      When the concatenation function for geometry data collections
      reads the binary data it expects a 4 byte type code right after the
      header bytes, but if the length of the data beyond these is between
      0 and 4, we read from unallocated memory.
      Fixed by checking that there is at least 4 bytes of data allocated
      for the type code.
     @ mysql-test/r/gis.result
        Bug#44684: Test result
     @ mysql-test/t/gis.test
        Bug#44684: Test case
     @ sql/item_geofunc.cc
        Bug#44684: Fix.
[16 Jun 2009 14:12] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76397

2931 Martin Hansson	2009-06-16
      Bug#44684: valgrind reports invalid reads in 
      Item_func_spatial_collection::val_str
              
      When the concatenation function for geometry data collections
      reads the binary data it was not rigorous in checking that there
      is data available, leading to invalid reads and crashes.
      Fixed by making checking stricter.
     @ mysql-test/r/gis.result
        Bug#44684: Test result
     @ mysql-test/t/gis.test
        Bug#44684: Test case
     @ sql/item_geofunc.cc
        Bug#44684: fix(es)
        - Check that there are 4 bytes available for type code.
        - Check that there is at least one point available for linestring.
        - Check that there are at least 2 points in a polygon and
          data for all the points.
[17 Jun 2009 15:03] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76475

2931 Martin Hansson	2009-06-17
      Bug#44684: valgrind reports invalid reads in 
      Item_func_spatial_collection::val_str
              
      When the concatenation function for geometry data collections
      reads the binary data it was not rigorous in checking that there
      is data available, leading to invalid reads and crashes.
      Fixed by making checking stricter.
     @ mysql-test/r/gis.result
        Bug#44684: Test result
     @ mysql-test/t/gis.test
        Bug#44684: Test case
     @ sql/item_geofunc.cc
        Bug#44684: fix(es)
        - Check that there are 4 bytes available for type code.
        - Check that there is at least one point available for linestring.
        - Check that there are at least 2 points in a polygon and
          data for all the points.
[8 Jul 2009 13:30] Bugs System
Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source revid:mhansson@mysql.com-20090617153453-teigzx25qzxfdb59) (merge vers: 5.1.36) (pib:11)
[9 Jul 2009 7:37] Bugs System
Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source revid:mhansson@mysql.com-20090617153453-teigzx25qzxfdb59) (merge vers: 5.1.36) (pib:11)
[10 Jul 2009 11:21] Bugs System
Pushed into 5.4.4-alpha (revid:anozdrin@bk-internal.mysql.com-20090710111017-bnh2cau84ug1hvei) (version source revid:kristofer.pettersson@sun.com-20090617180427-zxqutdhvhzdhoa8s) (merge vers: 5.4.4-alpha) (pib:11)
[17 Jul 2009 2:49] Paul Dubois
Noted in 5.1.37, 5.4.4 changelogs.

when reading binary data, the concatenation function for geometry
data collections did not rigorously check for available data, leading
to invalid reads and server crashes.
[12 Aug 2009 22:29] Paul Dubois
Noted in 5.4.2 changelog because next 5.4 version will be 5.4.2 and not 5.4.4.
[15 Aug 2009 1:49] Paul Dubois
Ignore previous comment about 5.4.2.
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 13:48] Bugs System
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 16:33] Bugs System
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[7 Oct 2009 20:20] Paul Dubois
The 5.4 fix has been pushed to 5.4.2.