Bug #57931 Crash when argc = 0 due to incorrect replacement with valid argument list
Submitted: 2 Nov 2010 14:49 Modified: 29 Jul 2011 16:53
Reporter: Bartosz Fabianowski Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Embedded Library ( libmysqld ) Severity:S3 (Non-critical)
Version:5.5.6, 5.6.99 OS:Any
Assigned to: Ramil Kalimullin CPU Architecture:Any
Tags: Contribution

[2 Nov 2010 14:49] Bartosz Fabianowski
Description:
All line numbers refer to lib_sql.cc from version 5.5.6.

When using the embedded server, init_embedded_server() takes arguments in argc and argv. It is permissible to set argc = argv = 0 if no arguments are needed. However, the argument parsing done by load_defaults() in line 507 and by init_common_variables() requires argc >= 1 and an existent argv[0]. The code that ensures this is broken.

In lines 491 and 492, argcp and argvp are pointed at fake_argc and fake_argv. These are then passed to load_defaults(), supplying it with fake argument list that has *argcp = 1 entries.

Function init_common_variables() operates on remaining_argc and remaining_argv. As set in lines 510 and 511, these are identical to the original argc and argv. Thus, when argc = 0, so is remaining_argc and init_common_variables() crashes in handle_options().

How to repeat:
Initialize an embedded server with argc = argv = 0.

Suggested fix:
It must be ensured that remaining_argc >= 1 and remaining_argv[0] exists. If I understand the code in bzr before the current incarnation correctly, remaining_argc and remaining_argv may be initialized to the same values as defaults_argc and defaults_argv. Thus, the following patch should fix the issue (and fixes the crash for me):

--- libmysqld/lib_sql.cc.orig	2010-11-01 14:24:38.000000000 +0000
+++ libmysqld/lib_sql.cc	2010-11-01 14:24:54.000000000 +0000
@@ -507,8 +507,8 @@
   load_defaults("my", (const char **)groups, argcp, argvp);
   defaults_argc= *argcp;
   defaults_argv= *argvp;
-  remaining_argc= argc;
-  remaining_argv= argv;
+  remaining_argc= *argcp;
+  remaining_argv= *argvp;
 
   /* Must be initialized early for comparison of options name */
   system_charset_info= &my_charset_utf8_general_ci;
[3 Nov 2010 10:44] Sveta Smirnova
Thank you for the report.

Verified as described.

To repeat get example from http://dev.mysql.com/doc/refman/5.5/en/mysql-library-init.html ("For convenience, argc may be 0 (zero) if there are...") and get:

$./bug57931
my_getopt.c:125: failed assertion `argc && *argc >= 1'
Abort trap
[13 Jan 2011 5:45] [ name withheld ]
An even easier way to test this is to run mysqltest_embedded without any command-line arguments.

The proposed patch fixes that for me.
[29 Jul 2011 15:46] [ name withheld ]
This appears to have been silently fixed in 5.5.15.  I appreciate the fix, but isn't there a process to follow here?
[29 Jul 2011 15:53] Davi Arnaut
http://lists.mysql.com/commits/139170
[29 Jul 2011 16:54] Paul DuBois
Noted in 5.5.16, 5.6.3 changelogs.

The embedded server crashed when argc = 0.