Details
-
Bug
-
Resolution: Fixed
-
Critical
-
5.5.0
-
Untriaged
-
Unknown
Description
As identified by UndefinedSanitizer; if we attempt to eject an item which is compressed then during the HashTable statistics update we unconditionally dereference the value pointer; which is now null:
void HashTable::Statistics::epilogue(const StoredValue& v) { |
// After performing updates to sv; increase all statistics which sv matches. |
...
|
if (mcbp::datatype::is_snappy(v.getDatatype())) { |
size_t uncompressed_length = cb::compression::get_uncompressed_length( |
cb::compression::Algorithm::Snappy,
|
{v.getValue()->getData(), v.valuelen()});
|
uncompressedMemSize.fetch_add(v.metaDataSize() + uncompressed_length);
|
} else { |
...
|
In the case of UBSan this aborts the program; but I would expect this could lead to a segfault in the full stack.