Bug #8522 Potential crash in fulltext query, out of bounds memory access
Submitted: 15 Feb 2005 19:53 Modified: 22 Feb 2005 14:10
Reporter: Dean Ellis Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:4.0.24 forward OS:
Assigned to: Dean Ellis

[15 Feb 2005 19:53] Dean Ellis
Description:
In ft_nlq_find_relevance(), FT_INFO.doc is accessed directly.  This will not have been allocated if FT_INFO.ndocs == 0, so this can be an out of bounds memory access and can crash mysqld.

How to repeat:
ft_init_nlq_search() performs malloc() for an FT_INFO based on number of documents; when this is 0 it does not allocate memory for the FT_DOC array.

Reproducing the crash is difficult as it requires that the RAM access just happen to be illegal at the time.

One stack trace, however:

mysqld-nt.exe!_ft_nlq_find_relevance()  + 0xa6  C
mysqld-nt.exe!Item_func_match::val()  Line 3217 + 0xc   C++
mysqld-nt.exe!Item_cond_or::val_int()  Line 2098 + 0x7  C++
mysqld-nt.exe!Item_cond_and::val_int()  Line 2080 + 0x7 C++
mysqld-nt.exe!sub_select(JOIN * join=0x00000000, st_join_table * join_tab=0x00000001, int end_of_records=45343984)  Line 5807 + 0xd     C++
mysqld-nt.exe!sub_select(JOIN * join=0x00000000, st_join_table * join_tab=0x00000001, int end_of_records=0)  Line 5809 + 0xd    C++
mysqld-nt.exe!do_select(JOIN * join=0x02b3cfd8, List<Item> * fields=0x004b06b0, st_table * table=0x02bad008, Procedure * procedure=0x00000000)  Line 5693 + 0x9C++
mysqld-nt.exe!JOIN::exec()  Line 1147 + 0x17    C++
mysqld-nt.exe!mysql_select(THD * thd=0x02b1ab58, Item * * * rref_pointer_array=0x02b1ad90, st_table_list * tables=0x02b32a90, unsigned int wild_num=0, List<Item> & fields={...}, Item * conds=0x02b33820, unsigned int og_num=2, st_order * order=0x02b339d0, st_order * group=0x02b33930, Item * having=0x00000000, st_order * proc_param=0x00000000, unsigned long select_options=42224128, select_result * result=0x02b33a10, st_select_lex_unit * unit=0x02b1aba4, st_select_lex * select_lex=0x02b1aca4)  Line 1602       C++
mysqld-nt.exe!handle_select(THD * thd=0x02b1ab58, st_lex * lex=0x02b1ab98, select_result * result=0x02b33a10)  Line 193 + 0x51  C++
mysqld-nt.exe!mysql_execute_command(THD * thd=0x02b1ab58)  Line 2039 + 0x8     C++
mysqld-nt.exe!mysql_parse(THD * thd=0x02b1ab58, char * inBuf=0x02b32030, unsigned int length=501)  Line 4122    C++
mysqld-nt.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x02b1ab58, char * packet=0x02b29ff1, unsigned int packet_length=502)  Line 147C++
mysqld-nt.exe!do_command(THD * thd=0x02b1ab58)  Line 1291 + 0xd C++
mysqld-nt.exe!handle_one_connection(void * arg=0x02b1ab58)  Line 1023 + 0x6    C++
mysqld-nt.exe!_pthread_create()  + 0xcb C
mysqld-nt.exe!__beginthread()  + 0xce

Suggested fix:
Bounds check in ft_nlq_find_relevance() to prevent accessing FT_DOC array if ndocs==0.
[17 Feb 2005 2:47] Dean Ellis
Fixed in 4.0.24, 4.1.11, 5.0.3.
[17 Feb 2005 18:06] Paul Dubois
Mentioned in 4.0.24, 4.1.11, and 5.0.3 change notes.