Skip to content

virtuoso 7.2.9 crashed at dv_compare #1128

Closed
@fuboat

Description

@fuboat

The PoC is generated by my DBMS fuzzer.

CREATE TABLE element (
      name VARCHAR(80),
      test1 VARCHAR(80),
      f1 VARCHAR(80),
      f2 VARCHAR(80),
      code INTEGER,
      t1 VARCHAR(80),
      a VARCHAR(80),
      example VARCHAR(80),
      b VARCHAR(80),
      c VARCHAR(80),
      folders VARCHAR(80)
    );
INSERT INTO element(b,b) VALUES(38,1444);
SELECT (select ( -count(distinct case case code when b then c*case when b<=element.b+b then code when (abs(element.c)/abs(case when b-coalesce((select max(element.c-element.b) from element where not exists(select 1 from element where 17 in (b,13,(b)) or b in (b,c,element.b))),element.b) not in (b,((c)),element.b) then  -19 when c between code and 13 then 19 else element.c end))=13 then c else 13 end else 17 end when 13 then element.c else element.b end-element.c)) from element) FROM element WHERE coalesce((select max(element.b) from element where element.c<>element.c-13),element.code)>=b or b*coalesce((select max((b)) from element where c not between +coalesce((select max(13) from element where b between  -(abs(( -coalesce((select max(case c when element.c then b else  -element.c end) from element where 11>b and element.b<element.b),element.c)))/abs(b)) and b),code) and element.b),element.b)* -19 not between (17) and element.c and (element.b<=code);

backtrace:

#0 0x60afab (dv_compare+0x3b)
#1 0xc278fb (cmp_vec_any+0x24b)
#2 0xc28caa (cmp_vec+0x12ba)
#3 0x751b48 (code_vec_run_v+0x1368)
#4 0x7ac72d (qn_send_output+0xbd)
#5 0x7ac43e (qn_input+0x3ce)
#6 0x7ac8a6 (qn_send_output+0x236)
#7 0x81e26d (set_ctr_vec_input+0x94d)
#8 0x7ac43e (qn_input+0x3ce)
#9 0x74f268 (subq_next+0x258)
#10 0x81cfa2 (ins_vec_subq+0x2a2)
#11 0x75119b (code_vec_run_v+0x9bb)
#12 0x7b5a9b (end_node_input+0x13b)
#13 0x7ac43e (qn_input+0x3ce)
#14 0x7acb6f (qn_ts_send_output+0x23f)
#15 0x7b247e (table_source_input+0x16ee)
#16 0x7ac43e (qn_input+0x3ce)
#17 0x7b9c3b (fun_ref_node_input+0x36b)
#18 0x7ac43e (qn_input+0x3ce)
#19 0x7ac8a6 (qn_send_output+0x236)
#20 0x81e26d (set_ctr_vec_input+0x94d)
#21 0x7ac43e (qn_input+0x3ce)
#22 0x74f268 (subq_next+0x258)
#23 0x81cfa2 (ins_vec_subq+0x2a2)
#24 0x75119b (code_vec_run_v+0x9bb)
#25 0x7b5a9b (end_node_input+0x13b)
#26 0x7ac43e (qn_input+0x3ce)
#27 0x7acb6f (qn_ts_send_output+0x23f)
#28 0x7b247e (table_source_input+0x16ee)
#29 0x7ac43e (qn_input+0x3ce)
#30 0x7b9c3b (fun_ref_node_input+0x36b)
#31 0x7ac43e (qn_input+0x3ce)
#32 0x7ac8a6 (qn_send_output+0x236)
#33 0x81e26d (set_ctr_vec_input+0x94d)
#34 0x7ac43e (qn_input+0x3ce)
#35 0x74f268 (subq_next+0x258)
#36 0x81cfa2 (ins_vec_subq+0x2a2)
#37 0x75119b (code_vec_run_v+0x9bb)
#38 0x7b5a9b (end_node_input+0x13b)
#39 0x7ac43e (qn_input+0x3ce)
#40 0x7acb6f (qn_ts_send_output+0x23f)
#41 0x7b247e (table_source_input+0x16ee)
#42 0x7ac43e (qn_input+0x3ce)
#43 0x7ac8a6 (qn_send_output+0x236)
#44 0x81e26d (set_ctr_vec_input+0x94d)
#45 0x7ac43e (qn_input+0x3ce)
#46 0x7bdc6e (qr_exec+0x11ee)
#47 0x7cb446 (sf_sql_execute+0x11a6)
#48 0x7cbf4e (sf_sql_execute_w+0x17e)
#49 0x7d4c0d (sf_sql_execute_wrapper+0x3d)
#50 0xe1f01c (future_wrapper+0x3fc)
#51 0xe2691e (_thread_boot+0x11e)
#52 0x7f731e31d609 (start_thread+0xd9)
#53 0x7f731e0ed133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb_test -f
# start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb_test isql 1111 dba
# run the poc
docker exec -i virtdb_test isql 1111 dba < "/tmp/test.sql"

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions