Percona Server moved to https://jira.percona.com/projects/PS

Out-of-bound reads in loose index scan

Bug #1067099 reported by Alexey Kopytov
This bug report is a duplicate of:  Bug #1515591: Valgrind error on main.group_min_max. Edit Remove
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Triaged
High
Unassigned
5.1
Triaged
High
Unassigned
5.5
Triaged
High
Unassigned

Bug Description

Found using AddressSanitizer testing.

When the code QUICK_GROUP_MIN_MAX_SELECT::add_range() constructs a new QUICK_RANGE object, there's an implicit assumption that sel_range->min_value and sel_range->max_value contain at least min_max_arg_len + 1 bytes, because the QUICK_RANGE constructor calls sql_memdup({min,max}_key_arg,min_length_arg+1).

However, that's not the case for cases when either of the arguments is a pointer to 'is_null_string' which is a 2-byte static buffer. This is the case detected by AddressSanitizer during a main.group_min_max test run.

How to repeat:
Examine the code or run main.group_min_max against an AddressSanitizer-instrumented server binary.

Tags: asan
Alexey Kopytov (akopytov)
tags: added: asan
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.