3-byte read function uint3korr reads 4 bytes on x86

Bug #1628417 reported by Laurynas Biveinis on 2016-09-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server
Status tracked in 5.7
5.5
Low
Laurynas Biveinis
5.6
Low
Laurynas Biveinis
5.7
Undecided
Unassigned

Bug Description

This shows up as an ASan error on 5.5 trunk, 32-bit build:

binlog.binlog_mysqlbinlog_row 'row' w4 [ fail ]
        Test ended at 2016-09-22 15:17:56

CURRENT_TEST: binlog.binlog_mysqlbinlog_row
=================================================================
==27814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3e05d51 at pc 0x08057f8e bp 0xbfee4b98 sp 0xbfee4b88
READ of size 4 at 0xb3e05d51 thread T0
    #0 0x8057f8d in log_event_print_value /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:1689
    #1 0x8072e53 in Rows_log_event::print_verbose_one_row(st_io_cache*, table_def*, st_print_event_info*, st_bitmap*, unsigned char const*, unsigned char const*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:1969
    #2 0x8074790 in Rows_log_event::print_verbose(st_io_cache*, st_print_event_info*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:2048
    #3 0x80753ca in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:2137
    #4 0x8075da3 in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:8478
    #5 0x8075ed8 in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:9677
    #6 0x80787e4 in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/client/mysqlbinlog.cc:1129
    #7 0x807b262 in dump_local_log_entries /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/client/mysqlbinlog.cc:2271
    #8 0x807b262 in dump_log_entries /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/client/mysqlbinlog.cc:1706
    #9 0x807bb9f in main /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/client/mysqlbinlog.cc:2377
    #10 0xb6bd9636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #11 0x804bcf0 (/mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/client/mysqlbinlog+0x804bcf0)

0xb3e05d54 is located 0 bytes to the right of 4-byte region [0xb3e05d50,0xb3e05d54)
allocated by thread T0 here:
    #0 0xb7286dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x81209a9 in my_malloc /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/mysys/my_malloc.c:38
    #2 0x806d764 in Rows_log_event::Rows_log_event(char const*, unsigned int, Log_event_type, Format_description_log_event const*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:7743
    #3 0x806f4a4 in Write_rows_log_event::Write_rows_log_event(char const*, unsigned int, Format_description_log_event const*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:9225
    #4 0x807531a in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:2122
    #5 0x8075da3 in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:8478
    #6 0x8075ed8 in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/sql/log_event.cc:9677
    #7 0x80787e4 in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/client/mysqlbinlog.cc:1129
    #8 0x807b262 in dump_local_log_entries /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/client/mysqlbinlog.cc:2271
    #9 0x807b262 in dump_log_entries /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/client/mysqlbinlog.cc:1706
    #10 0x807bb9f in main /mnt/workspace/percona-server-5.5-asan-param/BUILD_TYPE/debug-asan/Host/ubuntu-xenial-32bit/client/mysqlbinlog.cc:2377
    #11 0xb6bd9636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.