Bug #7003 malloc return value not checked
Submitted: 4 Dec 2004 3:22 Modified: 3 Aug 2005 20:39
Reporter: R Koo Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0.1 alpha OS:Microsoft Windows (Windows XP)
Assigned to: Jim Winstead CPU Architecture:Any

[4 Dec 2004 3:22] R Koo
Description:
Several places in the code do not check the buffer returned by
malloc to make sure it was actually allocated.  In low memory conditions 
this call could fail, causing a null pointer exception later in the code.  In most places the return value is checked so these seem to be exceptions rather than the norm.

This happens in the following four places:

mysqld.cpp:3220 - account_name=(char*)malloc(27);

ctype-tis620.c:545 - tc1= (uchar*) malloc(len1+len2);

ctype-tis620:577 - a= (uchar*) malloc(a_length+b_length);

regcomp.c:1066 - p->g->sets = (cset *)malloc(nc *sizeof(cset));
     else
        p->g->sets = (cset *)realloc((char *)p->g->sets, nc * sizeof(cset));

How to repeat:
Not Applicable

Suggested fix:
Check return buffer to make sure it is not null.
[24 Jun 2005 20:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/26421
[24 Jul 2005 12:18] Sela Lerer
Got the same problem on WIN XP without using the mysql_init() allocation.
[24 Jul 2005 12:19] Sela Lerer
The code:
#include <stdio.h>
#include <windows.h>
#include <mysql.h>

#define CONNECTION_COUNT 4

void printMemStat(void)
{
	MEMORYSTATUS memStat;
	GlobalMemoryStatus(&memStat);
	printf("FREE MEMORY %uK/%uK (%3.2lf%%)\n",memStat.dwAvailVirtual/1024,memStat.dwTotalVirtual/1024
		,((double)memStat.dwAvailVirtual/(double)memStat.dwTotalVirtual)*100);
	printf("USED MEMORY %uK\n",(memStat.dwTotalVirtual-memStat.dwAvailVirtual)/1024);
}

int main(int argc, char *argv[])
{
	if(mysql_thread_safe())
	{
		static MYSQL conn[CONNECTION_COUNT];
		int connected[CONNECTION_COUNT]={0};
		int i=0;
		my_init();
		printf("START: ");
		printMemStat();
		for(i=0;i<CONNECTION_COUNT;i++)
		{
			printf("Before connection %d...\n",i);
			printMemStat();
			getchar();
			if(NULL!=mysql_real_connect(&conn[i],"localhost","root","sela90","kevin",3306,NULL,CLIENT_MULTI_STATEMENTS))
			{
				connected[i]=1;
				printf("Connected %d successfully.\n",i);
				printMemStat();
			}
			else
			{
				fprintf(stderr,"mysql_real_connect() %d error: %s\n",i,mysql_error(&conn[i]));
			}
		}
		for(i=0;i<CONNECTION_COUNT;i++)
		{
			if(connected[i])
			{
				printf("Before closing connection %d...\n",i);
				printMemStat();
				getchar();
				mysql_close(&conn[i]);
				printf("Closed connection %d.\n",i);
				printMemStat();
			}
		}
		printf("Before mysql_thread_end()....\n");
		getchar();
		mysql_thread_end();
		printf("EXIT: ");
		printMemStat();
		getchar();
	}
	else
	{
		fprintf(stderr,"MySQL client library is not thread safe. Exiting.\n");
		getchar();
	}
	return 0;
}
[24 Jul 2005 12:21] Sela Lerer
Ooops, wrong bug, this belongs to bug #7619.
[3 Aug 2005 2:53] Jim Winstead
Fixed in 5.0.14.
[3 Aug 2005 20:39] Mike Hillyer
Documented in 5.0.11 changelog: 

<listitem><para>Added checks to prevent error when allocating memory when there was insufficient memory available. (Bug #7003)</para></listitem>