Bombs | Jinsheng Ba

Protocol Systems (12 CVEs)

CVE-2021-38380	Live555 through 1.08 mishandles huge requests for the same MP3 stream, leading to recursion and s stack-based buffer over-read. An attacker can leverage this to launch a DoS attack.	CVSS severity score: 7.5
CVE-2021-38381	Live555 through 1.08 does not handle MPEG-1 or 2 files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash.	CVSS severity score: 6.5
CVE-2021-38382	Live555 through 1.08 does not handle Matroska and Ogg files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash.	CVSS severity score: 6.5
CVE-2021-38383	OwnTone (aka owntone-server) through 28.1 has a use-after-free in net_bind() in misc.c.	CVSS severity score: 9.8
CVE-2021-39282	Live555 through 1.08 has a memory leak in AC3AudioStreamParser for AC3 files.	CVSS severity score: 7.5
CVE-2021-39283	Live555 through 1.08 allows an assertion failure and application exit via multiple SETUP and PLAY commands in liveMedia/FramedSource.cpp.	CVSS severity score: 5.5
CVE-2021-41396	Live555 through 1.08 does not handle socket connections properly. A huge number of incoming socket connections in a short time invokes the error-handling module, in which a heap-based buffer overflow happens. An attacker can leverage this to launch a DoS attack.	CVSS severity score: 7.5
CVE-2021-41397	Live555 through 1.08 does not handle MPEG data properly. Sending specific a command sequence in the MPEG stream leaks 2020 bytes once. An attacker can use this to launch a DoS attack.
CVE-2021-41687	DCMTK through 3.6.6 does not handle memory free properly. The program malloc a heap memory for parsing data, but does not free it when error in parsing. Sending specific requests to the dcmqrdb program incur the memory leak. An attacker can use it to launch a DoS attack.	CVSS severity score: 7.5
CVE-2021-41688	DCMTK through 3.6.6 does not handle memory free properly. The object in the program is free but its address is still used in other locations. Sending specific requests to the dcmqrdb program will incur a double free. An attacker can use it to launch a DoS attack.	CVSS severity score: 7.5
CVE-2021-41689	DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result even if the result is null, which can incur a head-based overflow. An attacker can use it to launch a DoS attack.	CVSS severity score: 7.5
CVE-2021-41690	DCMTK through 3.6.6 does not handle memory free properly. The malloced memory for storing all file information are recorded in a global variable LST and are not freed properly. Sending specific requests to the dcmqrdb program can incur a memory leak. An attacker can use it to launch a DoS attack.	CVSS severity score: 7.5

Database Management Systems (131 bugs)

CockroachDB (28 bugs)

sql: support SCRUB on temp tables

Link: https://github.com/cockroachdb/cockroach/issues/83770

Internal Error: Comparison Overload not Found

Link: https://github.com/cockroachdb/cockroach/issues/83792

ERROR: no builtin aggregate for SUM_INT on [unknown]

Link: https://github.com/cockroachdb/cockroach/issues/83874

Crashing by EXPLAIN Statement

Link: https://github.com/cockroachdb/cockroach/issues/83965

Invalid Memory Address Error of Specific SQL Query

Link: https://github.com/cockroachdb/cockroach/issues/83973

Unexpected Error of Unique Index

Link: https://github.com/cockroachdb/cockroach/issues/83976

Crash: panic: RecordingStructured has 30 recordings; expected 1

Link: https://github.com/cockroachdb/cockroach/issues/84056

Unexpected Overflow Error by Huge Interval Value

Link: https://github.com/cockroachdb/cockroach/issues/84154

Inconsistent Case Return Types Decimal Int

Link: https://github.com/cockroachdb/cockroach/issues/85356

No Result Returned by SHOW COLUMN

Link: https://github.com/cockroachdb/cockroach/issues/85388

internal error: no volatility for cast decimal::timestamp

Link: https://github.com/cockroachdb/cockroach/issues/85389

opt: internal error: lookup for ComparisonExpr

Link: https://github.com/cockroachdb/cockroach/issues/85390

opt: internal error: no output column equivalent to 2

Link: https://github.com/cockroachdb/cockroach/issues/85393

Unexpected Error in SHOW COLUMNS

Link: https://github.com/cockroachdb/cockroach/issues/85394

opt: internal error: estimated row count must be non-zero

Link: https://github.com/cockroachdb/cockroach/issues/85499

Unexpected Result by UNION

Link: https://github.com/cockroachdb/cockroach/issues/85502

An Unexpected Error in `CROSS MERGE JOIN`

Link: https://github.com/cockroachdb/cockroach/issues/88104

ERROR: internal error: expected *DInt, found tree.dNull

Link: https://github.com/cockroachdb/cockroach/issues/94264

An Unexpected Error in `CROSS MERGE JOIN`

Link: https://github.com/cockroachdb/cockroach/issues/88104

Potential Issue for Estimated Rows

Link: https://github.com/cockroachdb/cockroach/issues/88455

An Issue of Estimated Rows

Link: https://github.com/cockroachdb/cockroach/issues/89161

Unexpected Estimated Rows in `HAVING` clause

Link: https://github.com/cockroachdb/cockroach/issues/89462

Suspicious Estimated Rows by `OR`

Link: https://github.com/cockroachdb/cockroach/issues/90112

Suspicious Estimated Rows by `DISTINCT`

Link: https://github.com/cockroachdb/cockroach/issues/90113

ERROR: internal error: expected *DInt, found tree.dNull

Link: https://github.com/cockroachdb/cockroach/issues/94264

Integer Overflow with Index Hints

Link: https://github.com/cockroachdb/cockroach/issues/110409

Unexpected Error: overflow during Encode

Link: https://github.com/cockroachdb/cockroach/issues/111473

Unexpected Error for ascii()

Link: https://github.com/cockroachdb/cockroach/issues/111474

DuckDB (1 bugs)

Crash When Creating Index

Link: https://github.com/duckdb/duckdb/issues/4976

MariaDB (8 bugs)

Unexpected Result by not_null_range_scan

Link: https://jira.mariadb.org/browse/MDEV-32076

Unexpected Result by optimize_join_buffer_size

Link: https://jira.mariadb.org/browse/MDEV-32099

Unexpected Result by join_cache_hashed

Link: https://jira.mariadb.org/browse/MDEV-32105

Unexpected Result by outer_join_with_cache

Link: https://jira.mariadb.org/browse/MDEV-32106

Unexpected Result by table_elimination

Link: https://jira.mariadb.org/browse/MDEV-32107

Unexpected Result by join_cache_incremental

Link: https://jira.mariadb.org/browse/MDEV-32108

Unexpected Result by mrr

Link: https://jira.mariadb.org/browse/MDEV-32143

Unexpected Result by join_cache_bka

Link: https://jira.mariadb.org/browse/MDEV-32186

MySQL (13 bugs)

Suspicious Estimated Rows

Link: https://bugs.mysql.com/bug.php?id=108833

Suspicious Estimated Rows by JOIN

Link: https://bugs.mysql.com/bug.php?id=108851

Suspicious Estimated Rows by DISTINCTROW

Link: https://bugs.mysql.com/bug.php?id=108852

Unexpected Error: Memory capacity exceeded

Link: https://bugs.mysql.com/bug.php?id=111471

Unexpected Result by subquery_to_derived

Link: https://bugs.mysql.com/bug.php?id=112243

Unexpected Result by use_invisible_indexes

Link: https://bugs.mysql.com/bug.php?id=112242

Unexpected Result by block_nested_loop

Link: https://bugs.mysql.com/bug.php?id=112264

Unexpected Result by the hint JOIN_ORDER

Link: https://bugs.mysql.com/bug.php?id=112269

Unexpected Result by NO_BNL

Link: https://bugs.mysql.com/bug.php?id=112296

Unexpected Result for an Index

Link: https://bugs.mysql.com/bug.php?id=113302

Unexpected Result for LEAST function

Link: https://bugs.mysql.com/bug.php?id=113304

Unexpected Result for ENGINE HEAP

Link: https://bugs.mysql.com/bug.php?id=113313

Unexpected Result by IF

Link: https://bugs.mysql.com/bug.php?id=113317

SQLite (28 bugs)

An Inconsistent Result Depending on Parenthesization

Link: https://sqlite.org/forum/forumpost/af3d07f908

An Unexpected NULL Column Caused by Where Clause in RIGHT JOIN

Link: https://sqlite.org/forum/forumpost/41cc3851d8

Rows are Unexpectedly Filtered Out by DISTINCT in RIGHT JOIN

Link: https://sqlite.org/forum/forumpost/c06b10ad7e

Expression or Constant in GroupBy Clause

Link: https://sqlite.org/forum/forumpost/2458c5dea2

Ambiguous Reference Error for Right Join

Link: https://sqlite.org/forum/forumpost/e90a8e6e6f

Unexpected Result by WHERE when Joining Tables

Link: https://sqlite.org/forum/forumpost/687b0bf563

Unexpected Result by WHERE/RIGHT JOIN

Link: https://sqlite.org/forum/forumpost/5cfe08eed6

Unexpected Result in Joining Virtual Tables

Link: https://sqlite.org/forum/forumpost/3902c7b833

Unexpected Result by Joining

Link: https://sqlite.org/forum/forumpost/c2554d560b

Unexpected Result by RIGHT JOIN on RTree Tables

Link: https://sqlite.org/forum/forumpost/087de2d9ec

Unexpected Result by WHERE Again

Link: https://sqlite.org/forum/forumpost/de16c4abe2

Unexpected Result by RIGHT JOIN

Link: https://sqlite.org/forum/forumpost/206d99a16d

Unexpected Assertion Error in SQLite3MemCompare

Link: https://sqlite.org/forum/forumpost/800eecf5e6

Unexpected Result by ORDER BY

Link: https://sqlite.org/forum/forumpost/323f86cc30

Unexpected Result by RIGHT JOIN with INDEX

Link: https://sqlite.org/forum/forumpost/c4676c4956

Unexpected Result by JSON

Link: https://sqlite.org/forum/forumpost/3d9caa45cb

Unexpected Result by Complicated JOINING

Link: https://sqlite.org/forum/forumpost/eeb8173cf8

Assertion `pCur->eCurType==CURTYPE_VTAB' failed

Link: https://sqlite.org/forum/forumpost/dafe0500b0

Unexpected Result by RIGHT JOIN Again

Link: https://sqlite.org/forum/forumpost/51e6959f61

Unexpected Result by Complicated JOINING Again

Link: https://sqlite.org/forum/forumpost/b40696f501

Unexpected Assertion Error in valueFromFunction

Link: https://sqlite.org/forum/forumpost/e3243e07e8

Unexpected Result by FULL OUTER JOIN

Link: https://sqlite.org/forum/forumpost/5610c17c3d

Unexpected Expression on ON clause

Link: https://sqlite.org/forum/forumpost/57bdf2217d

Unexpected Expression Result by FULL OUTER JOIN

Link: https://sqlite.org/forum/forumpost/6650cd40b5

Unexpected Parse Error

Link: https://sqlite.org/forum/forumpost/1a7fea4651

Unexpected Assertion Error in whereRangeScanEst

Link: https://sqlite.org/forum/forumpost/c3496cf6b1

Unexpected Result by Union

Link: https://sqlite.org/forum/forumpost/174afeae57

Assertion `pRec->nField>0 && pRec->nField<=pIdx->nSampleCol' failed.

Link: https://sqlite.org/forum/forumpost/3607259d3c

TiDB (53 bugs)

incorrect unresolved column when using natural join

Link: https://github.com/pingcap/tidb/issues/35522

unexpected unresolved column error when the view refers to dual table

Link: https://github.com/pingcap/tidb/issues/35527

Runtime error: invalid memory address

Link: https://github.com/pingcap/tidb/issues/35623

Unexpected Result with a FALSE Expression in WHERE

Link: https://github.com/pingcap/tidb/issues/35645

Unexpected Error by CAST and CHAR functions

Link: https://github.com/pingcap/tidb/issues/35652

Unexpected Error for Function INET_ATON

Link: https://github.com/pingcap/tidb/issues/35677

Unexpected Connection Lost

Link: https://github.com/pingcap/tidb/issues/35678

Inconsistent Results in SELECT

Link: https://github.com/pingcap/tidb/issues/36853

Unexpected Result by CONCAT_WS

Link: https://github.com/pingcap/tidb/issues/36888

ERROR 8141 (HY000): assertion failed

Link: https://github.com/pingcap/tidb/issues/38295

Incorrect Results by `REGEXP`

Link: https://github.com/pingcap/tidb/issues/38303

Incorrect Result by `LEFT JOIN`

Link: https://github.com/pingcap/tidb/issues/38304

runtime error: invalid memory address or nil pointer dereference

Link: https://github.com/pingcap/tidb/issues/38305

Unexpected Results

Link: https://github.com/pingcap/tidb/issues/38310

Error [types:1690]%s value is out of range in '%s'

Link: https://github.com/pingcap/tidb/issues/38352

Unexpected Error: Failed to read auto-increment value from storage engine

Link: https://github.com/pingcap/tidb/issues/38483

Unexpected Results by RIGHT JOIN

Link: https://github.com/pingcap/tidb/issues/38654

rule PredicatePushDown pushes wrong filter across projection

Link: https://github.com/pingcap/tidb/issues/38736

ERROR 8141 (HY000): assertion failed

Link: https://github.com/pingcap/tidb/issues/38295

Incorrect Results by `REGEXP`

Link: https://github.com/pingcap/tidb/issues/38303

Incorrect Result by `LEFT JOIN`

Link: https://github.com/pingcap/tidb/issues/38304

runtime error: invalid memory address or nil pointer dereference

Link: https://github.com/pingcap/tidb/issues/38305

Unexpected Results

Link: https://github.com/pingcap/tidb/issues/38310

Unexpected Estimated Rows of `OR`

Link: https://github.com/pingcap/tidb/issues/38319

Error [types:1690]%s value is out of range in '%s'

Link: https://github.com/pingcap/tidb/issues/38352

Question About the Estimated Rows in `GROUP BY`

Link: https://github.com/pingcap/tidb/issues/38474

Suspicious Estimated Rows by `JOIN`

Link: https://github.com/pingcap/tidb/issues/38479

Suspicious Estimated Rows by HAVING

Link: https://github.com/pingcap/tidb/issues/38482

Unexpected Error: Failed to read auto-increment value from storage engine

Link: https://github.com/pingcap/tidb/issues/38483

Unexpected Results by RIGHT JOIN

Link: https://github.com/pingcap/tidb/issues/38654

Unexpected Estimated Rows by INNER JOIN

Link: https://github.com/pingcap/tidb/issues/38665

Unexpected Estimated Rows by WHERE clause

Link: https://github.com/pingcap/tidb/issues/38721

rule PredicatePushDown pushes wrong filter across projection

Link: https://github.com/pingcap/tidb/issues/38736

runtime error: index out of range [7] with length 4

Link: https://github.com/pingcap/tidb/issues/44747

runtime error: index out of range [0] with length 0

Link: https://github.com/pingcap/tidb/issues/46535

ERROR 1690: overflows float

Link: https://github.com/pingcap/tidb/issues/46538

ERROR 1105 (HY000): interface conversion

Link: https://github.com/pingcap/tidb/issues/46556

Uncertain Results by MERGE_JOIN

Link: https://github.com/pingcap/tidb/issues/46580

Error For MPP Stream

Link: https://github.com/pingcap/tidb/issues/46598

Unexpected Results in TiFlash

Link: https://github.com/pingcap/tidb/issues/46599

Unexpected Results in TiFlash 2

Link: https://github.com/pingcap/tidb/issues/46601

Unexpected Results by the hint USE_INDEX in TiFlash

Link: https://github.com/pingcap/tidb/issues/47019

Unexpected Result by BROADCAST_JOIN in TiFlash

Link: https://github.com/pingcap/tidb/issues/47020

Unexpected Result in TiFlash 3

Link: https://github.com/pingcap/tidb/issues/47286

Unexpected Result by MERGE_JOIN

Link: https://github.com/pingcap/tidb/issues/47345

ERROR 1105 encoding failed

Link: https://github.com/pingcap/tidb/issues/47346

Unexpected Error Lost Connection

Link: https://github.com/pingcap/tidb/issues/47347

Unexpected Error Overflow

Link: https://github.com/pingcap/tidb/issues/47348

Unexpected Result by REGEXP

Link: https://github.com/pingcap/tidb/issues/49107

Unexpected Result by NATURAL RIGHT JOIN

Link: https://github.com/pingcap/tidb/issues/49108

runtime error: index out of range [320] with length 320

Link: https://github.com/pingcap/tidb/issues/49109

errors in results with 4 cartesian products + only true filter

Link: https://github.com/pingcap/tidb/issues/49110

Unexpected Result by FIELD Function

Link: https://github.com/pingcap/tidb/issues/49131