Bad query stuck in loop - 8bc387d1 #5
Description
Hi hoterran,
Through some fuzzing I found a bad SELECT statement that can cause the application to go into a loop forever.
Source query (written out to file 8bc387d1):
select a from b;
SELECT wp_s.* FROM wp_s WHERE ?=? AND osts.ID IN (?,?,?,?,?,?,?) AND wsts.poste = ? AND (wsts. tus = ?) ORDER BY wp_pos_s/* FROM ts.menu_order ASC;
To reproduce:
format 8bc387d1
Output:
3: error: unclosed comment
3: error: unclosed comment ... (ad infinitum)
I Ctrl+C'ed the program and capture the BT:
_Backtrace from GDB_:
#0 0x00007ffff7b002f0 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff7a8da83 in _IO_new_file_write (f=0x7ffff7dd41c0 <_IO_2_1_stderr_>, data=0x7ffff7dd4243 <_IO_2_1_stderr_+131>, n=1) at fileops.c:1261
#2 0x00007ffff7a8ef5c in new_do_write (to_do=1, data=0x7ffff7dd4243 <_IO_2_1_stderr_+131> "\n", fp=0x7ffff7dd41c0 <_IO_2_1_stderr_>) at fileops.c:538
#3 _IO_new_do_write (fp=fp@entry=0x7ffff7dd41c0 <_IO_2_1_stderr_>, data=0x7ffff7dd4243 <_IO_2_1_stderr_+131> "\n", to_do=1) at fileops.c:511
#4 0x00007ffff7a8f333 in _IO_new_file_overflow (f=0x7ffff7dd41c0 <_IO_2_1_stderr_>, ch=10) at fileops.c:876
#5 0x00007ffff7a86049 in fputc (c=c@entry=10, fp=0x7ffff7dd41c0 <_IO_2_1_stderr_>) at fputc.c:38
#6 0x0000000000413f6a in fprintf (__fmt=<optimized out>, __stream=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:97
#7 yyerror (s=0x46751d "unclosed comment") at sql.y:2959
#8 0x000000000044813c in yylex () at sql.l:704
#9 0x00000000004175cc in yyparse () at sql.tab.c:4477
#10 0x0000000000401480 in main (ac=<optimized out>, av=<optimized out>) at format.c:899
#11 0x00007ffff7a35ec5 in __libc_start_main (main=0x4012c0 <main>, argc=2, argv=0x7fffffffe0d8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe0c8) at libc-start.c:287
#12 0x000000000040439c in _start ()
System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
Found with the fuzzer American Fuzzy Lop ( http://lcamtuf.coredump.cx/afl/ )