Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-4513

Valgrind warnings (Conditional jump or move depends on uninitialised value) in inflate on UNCOMPRESS

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Major
        • Resolution: Fixed
        • Affects Version/s: 10.0.2, 5.5.31, 5.3.12, 10.0, 5.5
        • Fix Version/s: 10.0.15, 5.5.41
        • Component/s: Tests
        • Labels:

          Description

          Also reproducible on MySQL 5.5, 5.6, 5.7 and filed as http://bugs.mysql.com/bug.php?id=69202

          SELECT UNCOMPRESS( CAST( 0 AS BINARY(5) ) );

          ==26747== Thread 4:
==26747== Conditional jump or move depends on uninitialised value(s)
==26747==    at 0x4E3BF0C: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
==26747==    by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
==26747==    by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)
==26747==    by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)
==26747==    by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)
==26747==    by 0x711486: JOIN::exec() (sql_select.cc:2152)
==26747==    by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
==26747==    by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
==26747==    by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
==26747==    by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)
==26747==    by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
==26747==    by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
==26747==    by 0x689BDF: do_command(THD*) (sql_parse.cc:923)
==26747==    by 0x68663A: handle_one_connection (sql_connect.cc:1231)
==26747==    by 0x548DE99: start_thread (pthread_create.c:308)
==26747==    by 0x5F9ACBC: clone (clone.S:112)
==26747== Conditional jump or move depends on uninitialised value(s)
==26747==    at 0x4E3BF79: inflate (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
==26747==    by 0x4E36514: uncompress (in /lib/x86_64-linux-gnu/libz.so.1.2.3.4)
==26747==    by 0x5ECA63: Item_func_uncompress::val_str(String*) (item_strfunc.cc:3447)
==26747==    by 0x58BB2D: Item::send(Protocol*, String*) (item.cc:5970)
==26747==    by 0x65CADF: select_send::send_data(List<Item>&) (sql_class.cc:2012)
==26747==    by 0x711486: JOIN::exec() (sql_select.cc:2152)
==26747==    by 0x71457C: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2990)
==26747==    by 0x70AF26: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:288)
==26747==    by 0x6963DE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5172)
==26747==    by 0x68D19D: mysql_execute_command(THD*) (sql_parse.cc:2305)
==26747==    by 0x698E58: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6173)
==26747==    by 0x68A941: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1243)
==26747==    by 0x689BDF: do_command(THD*) (sql_parse.cc:923)
==26747==    by 0x68663A: handle_one_connection (sql_connect.cc:1231)
==26747==    by 0x548DE99: start_thread (pthread_create.c:308)
==26747==    by 0x5F9ACBC: clone (clone.S:112)

          3410:String *Item_func_uncompress::val_str(String *str)
3411:{
3412:  DBUG_ASSERT(fixed == 1);
3413:  String *res= args[0]->val_str(str);
3414:  ulong new_size;
3415:  int err;
3416:  uint code;
3417:
3418:  if (!res)
3419:    goto err;
3420:  null_value= 0;
3421:  if (res->is_empty())
3422:    return res;
3423:
3424:  /* If length is less than 4 bytes, data is corrupt */
3425:  if (res->length() <= 4)
3426:  {
3427:    push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,
3428:                   ER_ZLIB_Z_DATA_ERROR,
3429:                   ER(ER_ZLIB_Z_DATA_ERROR));
3430:    goto err;
3431:  }
3432:
3433:  /* Size of uncompressed data is stored as first 4 bytes of field */
3434:  new_size= uint4korr(res->ptr()) & 0x3FFFFFFF;
3435:  if (new_size > current_thd->variables.max_allowed_packet)
3436:  {
3437:    push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,
3438:                   ER_TOO_BIG_FOR_UNCOMPRESS,
3439:                   ER(ER_TOO_BIG_FOR_UNCOMPRESS),
3440:                        static_cast<int>(current_thd->variables.
3441:                                         max_allowed_packet));
3442:    goto err;
3443:  }
3444:  if (buffer.realloc((uint32)new_size))
3445:    goto err;
3446:
3447:  if ((err= uncompress((Byte*)buffer.ptr(), &new_size,
3448:                  ((const Bytef*)res->ptr())+4,res->length())) == Z_OK)
3449:  {
3450:    buffer.length((uint32) new_size);
3451:    return &buffer;
3452:  }
3453:3453:
3454:  code= ((err == Z_BUF_ERROR) ? ER_ZLIB_Z_BUF_ERROR :
3455:    ((err == Z_MEM_ERROR) ? ER_ZLIB_Z_MEM_ERROR : ER_ZLIB_Z_DATA_ERROR));
3456:  push_warning(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,code,ER(code));
3457:
3458:err:
3459:  null_value= 1;
3460:  return 0;
3461:}

          bzr version-info

          revision-id: psergey@askmonty.org-20130505013255-oyp1f1cscm7z8bx8
revno: 3656
branch-nick: 5.3

            Gliffy Diagrams

              Attachments

                Issue Links

                links to

                Web Link Bug #69202 - Valgrind warnings in inflate on UNCOMPRESS

                  Activity

                  Hide
                  Permalink
                  elenst Elena Stepanova added a comment -

                  Still reproducible on the current 10.0 tree (revno 4471).

                  Upstream fix in 5.7.5:

                  revno: 8002
revision-id: tor.didriksen@oracle.com-20140513113847-4ibrwic6moadne9v
parent: anitha.gopi@oracle.com-20140513113110-zaw6h206p2tn93bx
committer: Tor Didriksen <tor.didriksen@oracle.com>
branch nick: trunk-valgrind
timestamp: Tue 2014-05-13 13:38:47 +0200
message:
  Bug#18693654 VALGRIND WARNINGS IN INFLATE ON UNCOMPRESS
  
  The value of the sourceLen argument to uncompress() was wrong,
  and we got valgrind warnings when trying to verify the zip header of the compressed data.
                  Show
                  elenst Elena Stepanova added a comment - Still reproducible on the current 10.0 tree (revno 4471). Upstream fix in 5.7.5: revno: 8002 revision-id: tor.didriksen@oracle.com-20140513113847-4ibrwic6moadne9v parent: anitha.gopi@oracle.com-20140513113110-zaw6h206p2tn93bx committer: Tor Didriksen <tor.didriksen@oracle.com> branch nick: trunk-valgrind timestamp: Tue 2014-05-13 13:38:47 +0200 message: Bug#18693654 VALGRIND WARNINGS IN INFLATE ON UNCOMPRESS The value of the sourceLen argument to uncompress() was wrong, and we got valgrind warnings when trying to verify the zip header of the compressed data.

                    People

                    • Assignee:
                      serg Sergei Golubchik
                      Reporter:
                      elenst Elena Stepanova
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      2 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:

                        Time Tracking

                        Estimated:
                        Original Estimate - Not Specified
                        Not Specified
                        Remaining:
                        Remaining Estimate - 0 minutes
                        0m
                        Logged:
                        Time Spent - 20 minutes
                        20m