Bug #76984 malloc/free mismatch in MySQLGetPrivateProfileStringW
Submitted: 8 May 2015 13:17 Modified: 27 Jan 2016 16:10
Reporter: Jaco Kroon Email Updates:
Status: Closed Impact on me:
Category:Connector / ODBC Severity:S2 (Serious)
Version:5.2.7 OS:Linux
Assigned to: CPU Architecture:Any

[8 May 2015 13:17] Jaco Kroon
ret is allocated using malloc() (libc) directly, but then is free()'d later on using x_free which in turn wraps my_free.

In certain other client library versions (MariaDB 10.X) this causes problems as my_malloc and my_free does some extra work.  There is two possible fixes:

1.  Use my_malloc
2.  Use free

There is a secondary bug in that memset is called directly on the value of ret without first checking that it actually succeeded.  The risk on that is probably negligible.

How to repeat:
Install MariaDB 10.X
Install myodbc.
Try to use an application that uses myodbc.

Suggested fix:
Switch to using my_malloc in MySQLGetPrivateProfileStringW function in util/odbcinstw.c.
[8 May 2015 13:19] Jaco Kroon
use free() instead of x_free ...

Attachment: myodbc-mariadb-segfault.patch (text/x-patch), 585 bytes.

[8 May 2015 13:31] Jaco Kroon
use my_malloc() instead of malloc()

Attachment: myodbc-mariadb-segfault2.patch (text/x-patch), 594 bytes.

[8 May 2015 13:32] Jaco Kroon
Two patches, I prefer the latter, so by using my_malloc we also get zeroing of the memory area directly, without a separate (unsafe) memset.
[12 May 2015 11:34] Chiranjeevi Battula
Hello  	Jaco Kroon,

Thank you for the report and contribution.

[13 Nov 2015 8:16] Bogdan Degtyariov
Posted by developer:
The patch is pushed into mysql-5.7 branch inside Connector/ODBC git repository.
[27 Jan 2016 16:10] Daniel So
Added the following entry to the C/ODBC 5.3.6 changelog:

"The function MySQLGetPrivateProfileStringW() used malloc() to allocate
memory and then xfree() to free the allocated memory for a returned
value. That caused some issues when certain third-party versions of
MySQL client library (like MariaDB 10.x) was used. The issues have been
fixed by replacing malloc() with my_malloc()."