MariaDB

Bug #539480
Comment #1

Comment 1 for bug 539480

Revision history for this message

Kristian Nielsen (knielsen) wrote on 2010-03-16: Re: Read past end of buffer in xt_scan_branch_single()

Here is a similar Valgrind error for xt_scan_branch_fix(), which can be
obtained by running test case pbxt.type_enum (much easier, takes only about 1
minute under Valgrind):

==7276== Invalid read of size 4
==7276== at 0x9FF73F: xt_get_res_record_ref(unsigned char*, XTIdxResult*) (index_xt.h:454)
==7276== by 0x9F878E: xt_scan_branch_fix(XTTable*, XTIndex*, XTIdxBranch*, XTIdxKeyValue*, XTIdxResult*) (index_xt.cc:622)
==7276== by 0x9FEE6B: xt_idx_insert(XTOpenTable*, XTIndex*, unsigned, unsigned, unsigned char*, unsigned char*, int) (index_xt.cc:1877)
==7276== by 0xA1924B: xt_tab_new_record(XTOpenTable*, unsigned char*) (table_xt.cc:4392)
==7276== by 0x9EECD9: ha_pbxt::write_row(unsigned char*) (ha_pbxt.cc:2645)
==7276== by 0x7C4CC1: handler::ha_write_row(unsigned char*) (handler.cc:4642)
==7276== by 0x728939: write_record(THD*, st_table*, st_copy_info*) (sql_insert.cc:1632)
==7276== by 0x72D504: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:860)
==7276== by 0x68CDF5: mysql_execute_command(THD*) (sql_parse.cc:3244)
==7276== by 0x692F7F: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:6034)
==7276== by 0x693D91: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1247)
==7276== by 0x69528F: do_command(THD*) (sql_parse.cc:886)
==7276== by 0x68066C: handle_one_connection (sql_connect.cc:1132)
==7276== by 0x50463F6: start_thread (pthread_create.c:297)
==7276== by 0x6026B4C: clone (in /usr/lib/debug/libc-2.7.so)
==7276== Address 0xcf9802e is 33,701,886 bytes inside a block of size 33,701,888 alloc'd
==7276== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==7276== by 0x9FF9A2: xt_malloc(XTThread*, unsigned long) (memory_xt.cc:101)
==7276== by 0xA439F2: xt_ind_init(XTThread*, unsigned long) (cache_xt.cc:632)
==7276== by 0x9EBDBC: pbxt_call_init(XTThread*) (ha_pbxt.cc:974)
==7276== by 0x9EC109: pbxt_init(void*) (ha_pbxt.cc:1194)
==7276== by 0x7C8E01: ha_initialize_handlerton(st_plugin_int*) (handler.cc:429)
==7276== by 0x88ADD6: plugin_initialize(st_plugin_int*) (sql_plugin.cc:1033)
==7276== by 0x88E979: plugin_init(int*, char**, int) (sql_plugin.cc:1258)
==7276== by 0x67A21C: init_server_components() (mysqld.cc:4069)
==7276== by 0x67ACF5: main (mysqld.cc:4541)

Seems like exactly the same issue as xt_scan_branch_single(). Probably all the
xt_scan_branch_* functions needs to be checked for this issue.

Here is a similar Valgrind error for xt_scan_branch_fix(), which can be
obtained by running test case pbxt.type_enum (much easier, takes only about 1
minute under Valgrind):

==7276== Invalid read of size 4
==7276==    at 0x9FF73F: xt_get_res_record_ref(unsigned char*, XTIdxResult*) (index_xt.h:454)
==7276==    by 0x9F878E: xt_scan_branch_fix(XTTable*, XTIndex*, XTIdxBranch*, XTIdxKeyValue*, XTIdxResult*) (index_xt.cc:622)
==7276==    by 0x9FEE6B: xt_idx_insert(XTOpenTable*, XTIndex*, unsigned, unsigned, unsigned char*, unsigned char*, int) (index_xt.cc:1877)
==7276==    by 0xA1924B: xt_tab_new_record(XTOpenTable*, unsigned char*) (table_xt.cc:4392)
==7276==    by 0x9EECD9: ha_pbxt::write_row(unsigned char*) (ha_pbxt.cc:2645)
==7276==    by 0x7C4CC1: handler::ha_write_row(unsigned char*) (handler.cc:4642)
==7276==    by 0x728939: write_record(THD*, st_table*, st_copy_info*) (sql_insert.cc:1632)
==7276==    by 0x72D504: mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) (sql_insert.cc:860)
==7276==    by 0x68CDF5: mysql_execute_command(THD*) (sql_parse.cc:3244)
==7276==    by 0x692F7F: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:6034)
==7276==    by 0x693D91: dispatch_command(enum_server_command, THD*, char*, unsigned) (sql_parse.cc:1247)
==7276==    by 0x69528F: do_command(THD*) (sql_parse.cc:886)
==7276==    by 0x68066C: handle_one_connection (sql_connect.cc:1132)
==7276==    by 0x50463F6: start_thread (pthread_create.c:297)
==7276==    by 0x6026B4C: clone (in /usr/lib/debug/libc-2.7.so)
==7276==  Address 0xcf9802e is 33,701,886 bytes inside a block of size 33,701,888 alloc'd
==7276==    at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==7276==    by 0x9FF9A2: xt_malloc(XTThread*, unsigned long) (memory_xt.cc:101)
==7276==    by 0xA439F2: xt_ind_init(XTThread*, unsigned long) (cache_xt.cc:632)
==7276==    by 0x9EBDBC: pbxt_call_init(XTThread*) (ha_pbxt.cc:974)
==7276==    by 0x9EC109: pbxt_init(void*) (ha_pbxt.cc:1194)
==7276==    by 0x7C8E01: ha_initialize_handlerton(st_plugin_int*) (handler.cc:429)
==7276==    by 0x88ADD6: plugin_initialize(st_plugin_int*) (sql_plugin.cc:1033)
==7276==    by 0x88E979: plugin_init(int*, char**, int) (sql_plugin.cc:1258)
==7276==    by 0x67A21C: init_server_components() (mysqld.cc:4069)
==7276==    by 0x67ACF5: main (mysqld.cc:4541)

Seems like exactly the same issue as xt_scan_branch_single(). Probably all the
xt_scan_branch_* functions needs to be checked for this issue.