We're updating the issue view to help you get more done.Learn more

Server crashes on NAME_CONST containing AND/OR expressions

SELECT NAME_CONST('a', -(1 OR 2)) OR 1;
SELECT NAME_CONST('a', -(1 AND 2)) AND 1;

See the following revision in mysql/5.6 tree:

                    ------------------------------------------------------------
                    revno: 2876.473.1
                    revision-id: magne.mahre@oracle.com-20110915075714-zzyzvrmfnna2ro42
                    parent: kristofer.pettersson@oracle.com-20110906074433-13s7zt1k7rj8gff5
                    committer: Magne Mahre <magne.mahre@oracle.com>
                    branch nick: mysql-trunk-security
                    timestamp: Thu 2011-09-15 09:57:14 +0200
                    message:
                      Bug#12735545 - PARSER STACK OVERFLOW WITH NAME_CONST CONTAINING 
                                     OR EXPRESSION
                      
                      Using NAME_CONST with a non-constant negated expression as
                      value could cause a server crash.
                      
                      The issue was solved by added a more strict test on the
                      value argument when constructing the Item_name_const
                      object, verifying that the argument is indeed a literal
                      constant.
                ------------------------------------------------------------

Stack trace in 10.0:

#7  0x0000000000f0787f in __cxa_pure_virtual () at 10.0/mysys/my_new.cc:74
#8  0x00000000008948e5 in Item_cond::fix_fields (this=0x7f13244e06b8, thd=0x7f132733d070, ref=0x7f13244e07f0) at 10.0/sql/item_cmpfunc.cc:4337
#9  0x000000000061780a in setup_fields (thd=0x7f132733d070, ref_pointer_array=0x7f13244e0e48, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f13244e0c48, allow_sum_func=true) at 10.0/sql/sql_base.cc:7723
#10 0x00000000006a036e in JOIN::prepare (this=0x7f13244e0910, rref_pointer_array=0x7f13273416a0, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1327341428, unit_arg=0x7f1327340d48) at 10.0/sql/sql_select.cc:775
#11 0x00000000006a8f81 in mysql_select (thd=0x7f132733d070, rref_pointer_array=0x7f13273416a0, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f13244e08f0, unit=0x7f1327340d48, select_lex=0x7f1327341428) at 10.0/sql/sql_select.cc:3270
#12 0x000000000069f78b in handle_select (thd=0x7f132733d070, lex=0x7f1327340c88, result=0x7f13244e08f0, setup_tables_done_option=0) at 10.0/sql/sql_select.cc:372
#13 0x0000000000674811 in execute_sqlcom_select (thd=0x7f132733d070, all_tables=0x0) at 10.0/sql/sql_parse.cc:5301
#14 0x000000000066cbbc in mysql_execute_command (thd=0x7f132733d070) at 10.0/sql/sql_parse.cc:2587
#15 0x0000000000676f9b in mysql_parse (thd=0x7f132733d070, rawbuf=0x7f13244e0088 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", length=40, parser_state=0x7f132ec06630) at 10.0/sql/sql_parse.cc:6447
#16 0x0000000000669d69 in dispatch_command (command=COM_QUERY, thd=0x7f132733d070, packet=0x7f1327333071 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", packet_length=40) at 10.0/sql/sql_parse.cc:1308
#17 0x000000000066910b in do_command (thd=0x7f132733d070) at 10.0/sql/sql_parse.cc:1005
#18 0x0000000000783371 in do_handle_one_connection (thd_arg=0x7f132733d070) at 10.0/sql/sql_connect.cc:1379
#19 0x00000000007830c4 in handle_one_connection (arg=0x7f132733d070) at 10.0/sql/sql_connect.cc:1293
#20 0x0000000000aab665 in pfs_spawn_thread (arg=0x7f132665c090) at 10.0/storage/perfschema/pfs.cc:1853
#21 0x00007f132e954b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#22 0x00007f132d4a3a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Stack trace in 5.1:

#4  0x0000000000000000 in ?? ()
#5  0x00000000006f20d5 in is_cond_and (item=0x2da7990) at item_cmpfunc.h:1705
#6  0x00000000006dba31 in MYSQLparse (yythd=0x2d19608) at sql_yacc.yy:6975
#7  0x00000000006bd691 in parse_sql (thd=0x2d19608, parser_state=0x7f4afc050710, creation_ctx=0x0) at sql_parse.cc:8165
#8  0x00000000006b942e in mysql_parse (thd=0x2d19608, rawbuf=0x2da74b0 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", length=40, found_semicolon=0x7f4afc050ca0) at sql_parse.cc:6182
#9  0x00000000006ab9bd in dispatch_command (command=COM_QUERY, thd=0x2d19608, packet=0x2d869b9 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", packet_length=40) at sql_parse.cc:1294
#10 0x00000000006aa951 in do_command (thd=0x2d19608) at sql_parse.cc:906
#11 0x00000000006a78e6 in handle_one_connection (arg=0x2d19608) at sql_connect.cc:1238
#12 0x00007f4b050adb50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#13 0x00007f4b04df7a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Status

Assignee

Sergei Golubchik

Reporter

Elena Stepanova