Bug#33675: Usage of an uninitialized memory by filesort in a subquery caused

server crash. The filesort implementation has an optimization for subquery execution which consists of reusing previously allocated buffers. In particular the call to the read_buffpek_from_file function might be skipped when a big enough buffer for buffer descriptors (buffpeks) is already allocated. Beside allocating memory for buffpeks this function fills allocated buffer with data read from disk. Skipping it might led to using an arbitrary memory as fields' data and finally to a crash. Now the read_buffpek_from_file function is always called. It allocates new buffer only when necessary, but always fill it with correct data.

Bug#33675: Usage of an uninitialized memory by filesort in a subquery caused
server crash. The filesort implementation has an optimization for subquery execution which consists of reusing previously allocated buffers. In particular the call to the read_buffpek_from_file function might be skipped when a big enough buffer for buffer descriptors (buffpeks) is already allocated. Beside allocating memory for buffpeks this function fills allocated buffer with data read from disk. Skipping it might led to using an arbitrary memory as fields' data and finally to a crash. Now the read_buffpek_from_file function is always called. It allocates new buffer only when necessary, but always fill it with correct data.
ce111a0d · evgen@moonbone.local · 7fe932ed · ce111a0d · ce111a0d · ce111a0d
Commit ce111a0d authored Jan 09, 2008 by evgen@moonbone.local
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 9 deletions

mysql-test/r/subselect.result mysql-test/r/subselect.result +9 -0

mysql-test/t/subselect.test mysql-test/t/subselect.test +22 -0

sql/filesort.cc sql/filesort.cc +13 -9

No files found.
--- a/mysql-test/r/subselect.result
+++ b/mysql-test/r/subselect.result
@@ -4383,4 +4383,13 @@ SELECT 2 FROM t1 WHERE EXISTS ((SELECT 1 FROM t2 WHERE t1.a=t2.a) UNION
 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION 
 (SELECT 1 FROM t2 WHERE t1.a = t2.a))' at line 2
 DROP TABLE t1,t2;
+create table t1(f11 int, f12 int);
+create table t2(f21 int unsigned not null, f22 int, f23 varchar(10));
+insert into t1 values(1,1),(2,2), (3, 3);
+set session sort_buffer_size= 33*1024;
+select count(*) from t1 where f12 = 
+(select f22 from t2 where f22 = f12 order by f21 desc, f22, f23 limit 1);
+count(*)
+3
+drop table t1,t2;
 End of 5.0 tests.
--- a/mysql-test/t/subselect.test
+++ b/mysql-test/t/subselect.test
@@ -3230,4 +3230,26 @@ SELECT 2 FROM t1 WHERE EXISTS ((SELECT 1 FROM t2 WHERE t1.a=t2.a) UNION
 DROP TABLE t1,t2;


+#
+# Bug#33675: Usage of an uninitialized memory by filesort in a subquery
+#            caused server crash.
+#
+create table t1(f11 int, f12 int);
+create table t2(f21 int unsigned not null, f22 int, f23 varchar(10));
+insert into t1 values(1,1),(2,2), (3, 3);
+let $i=10000;
+--disable_query_log
+--disable_warnings
+while ($i)
+{
+  eval insert into t2 values (-1 , $i/5000 + 1, '$i');
+  dec $i;
+}
+--enable_warnings
+--enable_query_log
+set session sort_buffer_size= 33*1024;
+select count(*) from t1 where f12 = 
+(select f22 from t2 where f22 = f12 order by f21 desc, f22, f23 limit 1);
+
+drop table t1,t2;
 --echo End of 5.0 tests.
--- a/sql/filesort.cc
+++ b/sql/filesort.cc
@@ -37,7 +37,8 @@ if (my_b_write((file),(byte*) (from),param->ref_length)) \

 static char **make_char_array(char **old_pos, register uint fields,
                              uint length, myf my_flag);
-static BUFFPEK *read_buffpek_from_file(IO_CACHE *buffer_file, uint count);
+static byte *read_buffpek_from_file(IO_CACHE *buffer_file, uint count,
+                                    byte *buf);
 static ha_rows find_all_keys(SORTPARAM *param,SQL_SELECT *select,
 			     uchar * *sort_keys, IO_CACHE *buffer_file,
 			     IO_CACHE *tempfile,IO_CACHE *indexfile);
@@ -238,9 +239,10 @@ ha_rows filesort(THD *thd, TABLE *table, SORT_FIELD *sortorder, uint s_length,
  }
  else
  {
-    if (!table_sort.buffpek && table_sort.buffpek_len < maxbuffer &&
-        !(table_sort.buffpek=
-          (byte *) read_buffpek_from_file(&buffpek_pointers, maxbuffer)))
+    if (!(table_sort.buffpek=
+          read_buffpek_from_file(&buffpek_pointers, maxbuffer,
+                                 (table_sort.buffpek_len < maxbuffer ?
+                                  NULL : table_sort.buffpek))))
      goto err;
    buffpek= (BUFFPEK *) table_sort.buffpek;
    table_sort.buffpek_len= maxbuffer;
@@ -368,18 +370,20 @@ static char **make_char_array(char **old_pos, register uint fields,

 /* Read 'count' number of buffer pointers into memory */

-static BUFFPEK *read_buffpek_from_file(IO_CACHE *buffpek_pointers, uint count)
+static byte *read_buffpek_from_file(IO_CACHE *buffpek_pointers, uint count,
+                                    byte *buf)
 {
-  ulong length;
-  BUFFPEK *tmp;
+  ulong length= sizeof(BUFFPEK)*count;
+  byte *tmp= buf;
  DBUG_ENTER("read_buffpek_from_file");
  if (count > UINT_MAX/sizeof(BUFFPEK))
    return 0; /* sizeof(BUFFPEK)*count will overflow */
-  tmp=(BUFFPEK*) my_malloc(length=sizeof(BUFFPEK)*count, MYF(MY_WME));
+  if (!tmp)
+    tmp= (byte *)my_malloc(length, MYF(MY_WME));
  if (tmp)
  {
    if (reinit_io_cache(buffpek_pointers,READ_CACHE,0L,0,0) ||
-	my_b_read(buffpek_pointers, (byte*) tmp, length))
+	my_b_read(buffpek_pointers, tmp, length))
    {
      my_free((char*) tmp, MYF(0));
      tmp=0;