Description:
In ft_nlq_find_relevance(), FT_INFO.doc is accessed directly. This will not have been allocated if FT_INFO.ndocs == 0, so this can be an out of bounds memory access and can crash mysqld.
How to repeat:
ft_init_nlq_search() performs malloc() for an FT_INFO based on number of documents; when this is 0 it does not allocate memory for the FT_DOC array.
Reproducing the crash is difficult as it requires that the RAM access just happen to be illegal at the time.
One stack trace, however:
mysqld-nt.exe!_ft_nlq_find_relevance() + 0xa6 C
mysqld-nt.exe!Item_func_match::val() Line 3217 + 0xc C++
mysqld-nt.exe!Item_cond_or::val_int() Line 2098 + 0x7 C++
mysqld-nt.exe!Item_cond_and::val_int() Line 2080 + 0x7 C++
mysqld-nt.exe!sub_select(JOIN * join=0x00000000, st_join_table * join_tab=0x00000001, int end_of_records=45343984) Line 5807 + 0xd C++
mysqld-nt.exe!sub_select(JOIN * join=0x00000000, st_join_table * join_tab=0x00000001, int end_of_records=0) Line 5809 + 0xd C++
mysqld-nt.exe!do_select(JOIN * join=0x02b3cfd8, List<Item> * fields=0x004b06b0, st_table * table=0x02bad008, Procedure * procedure=0x00000000) Line 5693 + 0x9C++
mysqld-nt.exe!JOIN::exec() Line 1147 + 0x17 C++
mysqld-nt.exe!mysql_select(THD * thd=0x02b1ab58, Item * * * rref_pointer_array=0x02b1ad90, st_table_list * tables=0x02b32a90, unsigned int wild_num=0, List<Item> & fields={...}, Item * conds=0x02b33820, unsigned int og_num=2, st_order * order=0x02b339d0, st_order * group=0x02b33930, Item * having=0x00000000, st_order * proc_param=0x00000000, unsigned long select_options=42224128, select_result * result=0x02b33a10, st_select_lex_unit * unit=0x02b1aba4, st_select_lex * select_lex=0x02b1aca4) Line 1602 C++
mysqld-nt.exe!handle_select(THD * thd=0x02b1ab58, st_lex * lex=0x02b1ab98, select_result * result=0x02b33a10) Line 193 + 0x51 C++
mysqld-nt.exe!mysql_execute_command(THD * thd=0x02b1ab58) Line 2039 + 0x8 C++
mysqld-nt.exe!mysql_parse(THD * thd=0x02b1ab58, char * inBuf=0x02b32030, unsigned int length=501) Line 4122 C++
mysqld-nt.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x02b1ab58, char * packet=0x02b29ff1, unsigned int packet_length=502) Line 147C++
mysqld-nt.exe!do_command(THD * thd=0x02b1ab58) Line 1291 + 0xd C++
mysqld-nt.exe!handle_one_connection(void * arg=0x02b1ab58) Line 1023 + 0x6 C++
mysqld-nt.exe!_pthread_create() + 0xcb C
mysqld-nt.exe!__beginthread() + 0xce
Suggested fix:
Bounds check in ft_nlq_find_relevance() to prevent accessing FT_DOC array if ndocs==0.
Description: In ft_nlq_find_relevance(), FT_INFO.doc is accessed directly. This will not have been allocated if FT_INFO.ndocs == 0, so this can be an out of bounds memory access and can crash mysqld. How to repeat: ft_init_nlq_search() performs malloc() for an FT_INFO based on number of documents; when this is 0 it does not allocate memory for the FT_DOC array. Reproducing the crash is difficult as it requires that the RAM access just happen to be illegal at the time. One stack trace, however: mysqld-nt.exe!_ft_nlq_find_relevance() + 0xa6 C mysqld-nt.exe!Item_func_match::val() Line 3217 + 0xc C++ mysqld-nt.exe!Item_cond_or::val_int() Line 2098 + 0x7 C++ mysqld-nt.exe!Item_cond_and::val_int() Line 2080 + 0x7 C++ mysqld-nt.exe!sub_select(JOIN * join=0x00000000, st_join_table * join_tab=0x00000001, int end_of_records=45343984) Line 5807 + 0xd C++ mysqld-nt.exe!sub_select(JOIN * join=0x00000000, st_join_table * join_tab=0x00000001, int end_of_records=0) Line 5809 + 0xd C++ mysqld-nt.exe!do_select(JOIN * join=0x02b3cfd8, List<Item> * fields=0x004b06b0, st_table * table=0x02bad008, Procedure * procedure=0x00000000) Line 5693 + 0x9C++ mysqld-nt.exe!JOIN::exec() Line 1147 + 0x17 C++ mysqld-nt.exe!mysql_select(THD * thd=0x02b1ab58, Item * * * rref_pointer_array=0x02b1ad90, st_table_list * tables=0x02b32a90, unsigned int wild_num=0, List<Item> & fields={...}, Item * conds=0x02b33820, unsigned int og_num=2, st_order * order=0x02b339d0, st_order * group=0x02b33930, Item * having=0x00000000, st_order * proc_param=0x00000000, unsigned long select_options=42224128, select_result * result=0x02b33a10, st_select_lex_unit * unit=0x02b1aba4, st_select_lex * select_lex=0x02b1aca4) Line 1602 C++ mysqld-nt.exe!handle_select(THD * thd=0x02b1ab58, st_lex * lex=0x02b1ab98, select_result * result=0x02b33a10) Line 193 + 0x51 C++ mysqld-nt.exe!mysql_execute_command(THD * thd=0x02b1ab58) Line 2039 + 0x8 C++ mysqld-nt.exe!mysql_parse(THD * thd=0x02b1ab58, char * inBuf=0x02b32030, unsigned int length=501) Line 4122 C++ mysqld-nt.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x02b1ab58, char * packet=0x02b29ff1, unsigned int packet_length=502) Line 147C++ mysqld-nt.exe!do_command(THD * thd=0x02b1ab58) Line 1291 + 0xd C++ mysqld-nt.exe!handle_one_connection(void * arg=0x02b1ab58) Line 1023 + 0x6 C++ mysqld-nt.exe!_pthread_create() + 0xcb C mysqld-nt.exe!__beginthread() + 0xce Suggested fix: Bounds check in ft_nlq_find_relevance() to prevent accessing FT_DOC array if ndocs==0.