• Praveenkumar Hulakund's avatar
    Bug#14466617 - INVALID WRITES AND/OR CRASH WITH USER · d912a758
    Praveenkumar Hulakund authored
                   VARIABLES 
    
    Analysis:
    -------------
    After executing the query, new value of the user defined
    variables are set in the function "select_dumpvar::send_data".
    "select_dumpvar::send_data" first calls function 
    "Item_func_set_user_var::save_item_result()". This function
    checks the nullness of the Item_field passed as parameter 
    to it and saves it. The nullness of item is stored with 
    arg[0]'s null_value flag. Then "select_dumpvar::send_data" calls
    "Item_func_set_user_var::update()" which notices null 
    result that was saved and calls "Item_func_set_user_var::
    update_hash". But here null_value is not set and args[0]
    is different from that given to function "Item_func_set_user_var::
    set_item_result()". This causes "Item_func_set_user_var::
    update_hash" function to believe that its getting non-null value.
    "user_var_entry::length" set to 0 and hence "user_var_entry::value"
    is made to point to extra_area allocated in "user_var_entry".
    And "Item_func_set_user_var::update_hash" tries to write
    at memory beyond extra_area for result type DECIMAL. Because of 
    this invalid write issue is reported by Valgrind.
    
    Before this bug was introduced, we avoided this problem by 
    creating "Item_func_set_user_var" object with the same 
    Item_field as arg[0] and as parameter to 
    Item_func_set_user_var::save_item_result(). But now 
    they are refering to different args[0]. Because of this
    null_value flag set in parameter Item_field in function
    "Item_func_set_user_var::save_item_result()" is not
    reflected in "Item_func_set_user_var" object.
    
    Fix:
    ------------
    This issue is reported on versions 5.5.24. Issue does not exists
    in 5.5.23, 5.1, 5.6 and trunk.
    
    This issue was introduced by
    revid:georgi.kodinov@oracle.com-20120309130449-82e3bs5v3et1x0ef (fix for
    bug #12408412), which was pushed into 5.5 and later releases. This patch
    has later been reversed in 5.6 and trunk by
    revid:norvald.ryeng@oracle.com-20121010135242-xj34gg73h04hrmyh (fix for
    bug #14664077). Backported this patch in 5.5 also to fix this issue.
    
    
    sql/item_func.cc:
      here unsigned value is converted to signed value.
    sql/item_func.h:
      last_insert_id() gives an auto_incremented value which can be
      positive only,so defined it as a unsigned longlong sets the
      unsigned_flag to 1.
    d912a758
sql_class.h 118 KB