Fixed access to undefined memory found by valgrind and MSAN

When my_vsnprintf() is patched, the code protected disabled with 'WAITING_FOR_BUGFIX_TO_VSPRINTF' should be enabled again. Also all %b formats in this patch should be revert to %s again
2025-07-11 15:22:09 +03:00 · 2020-05-15 16:15:49 +03:00
parent dcc0baf540
commit c4bf4b7aef
13 changed files with 42 additions and 63 deletions
--- a/extra/replace.c
+++ b/extra/replace.c
@ -64,7 +64,7 @@ typedef struct st_pointer_array {		/* when using array-strings */
 #define LAST_CHAR_CODE	259
 typedef struct st_replace {
-  my_bool   found;
+  uint8 found;
  struct st_replace *next[256];
 } REPLACE;
@ -654,7 +654,13 @@ static REPLACE *init_replace(char * *from, char * *to,uint count,
    for (i=1 ; i <= found_sets ; i++)
    {
      pos=from[found_set[i-1].table_offset];
-      rep_str[i].found= (my_bool) (!memcmp(pos,"\\^",3) ? 2 : 1);
+      /*
        Test if we are matching start of string (\^)
        We can't use bcmp() here as pos may be only 1 character and
        that would confuse MSAN.
      */
      rep_str[i].found= (uint8) ((pos[0] == '\\' && pos[1] == '^' &&
                                  pos[2] == 0) ? 2 : 1);
      rep_str[i].replace_string=to_array[found_set[i-1].table_offset];
      rep_str[i].to_offset=found_set[i-1].found_offset-start_at_word(pos);
      rep_str[i].from_offset=found_set[i-1].found_offset-replace_len(pos)+
--- a/include/my_dbug.h
+++ b/include/my_dbug.h
@ -52,7 +52,10 @@ extern void _db_enter_(const char *_func_, const char *_file_, uint _line_,
 extern  void _db_return_(struct _db_stack_frame_ *_stack_frame_);
 extern  int _db_pargs_(uint _line_,const char *keyword);
 extern  void _db_doprnt_(const char *format,...)
-  ATTRIBUTE_FORMAT(printf, 1, 2);
+#ifdef WAITING_FOR_BUGFIX_TO_VSPRINTF
  ATTRIBUTE_FORMAT(printf, 1, 2)
 #endif
  ;
 extern  void _db_dump_(uint _line_,const char *keyword,
                       const unsigned char *memory, size_t length);
 extern  void _db_end_(void);
--- a/mysql-test/main/sum_distinct-big.test
+++ b/mysql-test/main/sum_distinct-big.test
@ -3,6 +3,8 @@
 #
 --source include/big_test.inc
 # Test will take more than one hour with valgrind
 --source include/not_valgrind.inc
 --source include/have_innodb.inc
 --source include/have_sequence.inc
--- a/mysql-test/valgrind.supp
+++ b/mysql-test/valgrind.supp
@ -750,45 +750,6 @@
 # Note the wildcard in the (mangled) function signatures of
 # write_keys() and find_all_keys().
 # They both return ha_rows, which is platform dependent.
 #
 # The '...' wildcards are for 'fun:inline_mysql_file_write' and
 # 'fun:find_all_keys' which *may* be inlined.
 {
   Bug#12856915 VALGRIND FAILURE IN FILESORT/CREATE_SORT_INDEX / one
   Memcheck:Param
   write(buf)
   obj:*/libpthread*.so
   fun:my_write
   ...
   fun:my_b_flush_io_cache
   fun:_my_b_write
   fun:_Z*10write_keysP13st_sort_paramPPhjP11st_io_cacheS4_
   ...
   fun:_Z8filesortP3THDP5TABLEP13st_sort_fieldjP10SQL_SELECTybPy
 }
 {
   Bug#12856915 VALGRIND FAILURE IN FILESORT/CREATE_SORT_INDEX / two
   Memcheck:Param
   write(buf)
   obj:*/libpthread*.so
   fun:my_write
   ...
   fun:my_b_flush_io_cache
   fun:_Z15merge_many_buffP13st_sort_paramPhP10st_buffpekPjP11st_io_cache
   fun:_Z8filesortP3THDP5TABLEP13st_sort_fieldjP10SQL_SELECTybPy
 }
 {
   Bug#12856915 VALGRIND FAILURE IN FILESORT/CREATE_SORT_INDEX / three
   Memcheck:Param
   write(buf)
   obj:*/libpthread*.so
   fun:my_write
   ...
   fun:my_b_flush_io_cache
   fun:_Z8filesortP3THDP5TABLEP13st_sort_fieldjP10SQL_SELECTybPy
 }
 {
   OpenSSL still reachable.
--- a/plugin/type_inet/sql_type_inet.cc
+++ b/plugin/type_inet/sql_type_inet.cc
@ -1411,7 +1411,7 @@ void Type_handler_inet6::sort_length(THD *thd,
                                     const Type_std_attributes *item,
                                     SORT_FIELD_ATTR *attr) const
 {
-  attr->length= Inet6::binary_length();
+  attr->original_length= attr->length= Inet6::binary_length();
  attr->suffix_length= 0;
 }
--- a/sql/item_subselect.cc
+++ b/sql/item_subselect.cc
@ -728,8 +728,8 @@ bool Item_subselect::exec()
        QT_WITHOUT_INTRODUCERS));
    push_warning_printf(thd, Sql_condition::WARN_LEVEL_NOTE,
-       ER_UNKNOWN_ERROR, "DBUG: Item_subselect::exec %.*s",
+                        ER_UNKNOWN_ERROR, "DBUG: Item_subselect::exec %.*b",
-       print.length(),print.c_ptr());
+                        print.length(),print.ptr());
  );
  /*
    Do not execute subselect in case of a fatal error
--- a/sql/protocol.cc
+++ b/sql/protocol.cc
@ -1218,7 +1218,7 @@ bool Protocol_text::store(const char *from, size_t length,
 {
  CHARSET_INFO *tocs= this->thd->variables.character_set_results;
 #ifndef DBUG_OFF
-  DBUG_PRINT("info", ("Protocol_text::store field %u (%u): %.*s", field_pos,
+  DBUG_PRINT("info", ("Protocol_text::store field %u (%u): %.*b", field_pos,
                      field_count, (int) length, (length == 0 ? "" : from)));
  DBUG_ASSERT(field_handlers == 0 || field_pos < field_count);
  DBUG_ASSERT(valid_handler(field_pos, PROTOCOL_SEND_STRING));
--- a/sql/signal_handler.cc
+++ b/sql/signal_handler.cc
@ -52,8 +52,9 @@ static inline void output_core_info()
  char buff[PATH_MAX];
  ssize_t len;
  int fd;
-  if ((len= readlink("/proc/self/cwd", buff, sizeof(buff))) >= 0)
+  if ((len= readlink("/proc/self/cwd", buff, sizeof(buff)-1)) >= 0)
  {
    buff[len]= 0;
    my_safe_printf_stderr("Writing a core file...\nWorking directory at %.*s\n",
                          (int) len, buff);
  }
--- a/sql/tztime.cc
+++ b/sql/tztime.cc
@ -1900,7 +1900,7 @@ tz_load_from_open_tables(const String *tz_name, TABLE_LIST *tz_tables)
      Most probably user has mistyped time zone name, so no need to bark here
      unless we need it for debugging.
    */
-     sql_print_error("Can't find description of time zone '%.*s'", 
+     sql_print_error("Can't find description of time zone '%.*b'",
                     tz_name->length(), tz_name->ptr());
 #endif
    goto end;
--- a/storage/maria/ma_bitmap.c
+++ b/storage/maria/ma_bitmap.c
@ -519,9 +519,10 @@ my_bool _ma_bitmap_flush_all(MARIA_SHARE *share)
 #ifdef EXTRA_DEBUG_BITMAP
    {
      char tmp[MAX_BITMAP_INFO_LENGTH];      
-      _ma_get_bitmap_description(bitmap, bitmap->map, bitmap->page, tmp);
+      size_t len;
      len= _ma_get_bitmap_description(bitmap, bitmap->map, bitmap->page, tmp);
      (void) translog_log_debug_info(0, LOGREC_DEBUG_INFO_QUERY,
-                                     (uchar*) tmp, strlen(tmp));
+                                     (uchar*) tmp, len);
    }
 #endif
@ -957,13 +958,13 @@ void _ma_print_bitmap(MARIA_FILE_BITMAP *bitmap, uchar *data,
  Return content of bitmap as a printable string
 */
-void _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
+size_t _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
-                                uchar *bitmap_data,
+                                  uchar *bitmap_data,
-                                pgcache_page_no_t page,
+                                  pgcache_page_no_t page,
-                                char *out)
+                                  char *out)
 {
  uchar *pos, *end;
-  uint count=0, dot_printed= 0, len;
+  size_t count=0, dot_printed= 0, len;
  char buff[80], last[80];
  page++;
@ -1000,6 +1001,7 @@ void _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
  memcpy(out+len, buff, count);
  out[len + count]= '\n';
  out[len + count + 1]= 0;
  return len + count + 1;
 }
--- a/storage/maria/ma_blockrec.h
+++ b/storage/maria/ma_blockrec.h
@ -245,10 +245,10 @@ void _ma_bitmap_set_pagecache_callbacks(PAGECACHE_FILE *file,
 void _ma_print_bitmap(MARIA_FILE_BITMAP *bitmap, uchar *data,
                      pgcache_page_no_t page);
 #endif
-void _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
+size_t _ma_get_bitmap_description(MARIA_FILE_BITMAP *bitmap,
-                                uchar *bitmap_data,
+                                  uchar *bitmap_data,
-                                pgcache_page_no_t page,
+                                  pgcache_page_no_t page,
-                                char *out);
+                                  char *out);
 uint _ma_apply_redo_insert_row_head_or_tail(MARIA_HA *info, LSN lsn,
                                            uint page_type,
--- a/storage/maria/ma_recovery.c
+++ b/storage/maria/ma_recovery.c
@ -2238,7 +2238,7 @@ prototype_redo_exec_hook(CLR_END)
 prototype_redo_exec_hook(DEBUG_INFO)
 {
-  uchar *data;
+  char *data;
  enum translog_debug_info_type debug_info;
  enlarge_buffer(rec);
@ -2251,11 +2251,10 @@ prototype_redo_exec_hook(DEBUG_INFO)
    return 1;
  }
  debug_info= (enum translog_debug_info_type) log_record_buffer.str[0];
-  data= log_record_buffer.str + 1;
+  data= (char*) log_record_buffer.str + 1;
  switch (debug_info) {
  case LOGREC_DEBUG_INFO_QUERY:
-    tprint(tracef, "Query: %.*s\n", rec->record_length - 1,
+    tprint(tracef, "Query: %.*b\n", (int) rec->record_length - 1, data);
           (char*) data);
    break;
  default:
    DBUG_ASSERT(0);
--- a/storage/maria/ma_recovery_util.h
+++ b/storage/maria/ma_recovery_util.h
@ -31,7 +31,12 @@ extern FILE *tracef;
 my_bool _ma_redo_not_needed_for_page(uint16 shortid, LSN lsn,
                                     pgcache_page_no_t page,
                                     my_bool index);
 #ifdef WAITING_FOR_BUGFIX_TO_VSPRINTF
 void tprint(FILE *trace_file, const char *format, ...)
  ATTRIBUTE_FORMAT(printf, 2, 3);
 void eprint(FILE *trace_file, const char *format, ...)
  ATTRIBUTE_FORMAT(printf, 2, 3);
 #else
 void tprint(FILE *trace_file, const char *format, ...);
 void eprint(FILE *trace_file, const char *format, ...);
 #endif