From: Kristofer Pettersson Date: November 25 2010 9:02am Subject: bzr commit into mysql-5.1-bugteam branch (kristofer.pettersson:3509) Bug#57132 List-Archive: http://lists.mysql.com/commits/124985 X-Bug: 57132 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0576300876972744446==" --===============0576300876972744446== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///home/thek/bzr/mysql-5.1-bugteam/ based on revid:davi.arnaut@stripped 3509 Kristofer Pettersson 2010-11-25 Bug#57132 conv function crashes, negative argument to memcpy Using a large negative base in SQL function CONV could crash the server. longlong2str() can return a null pointer if radix < 0 && (radix<-36 || radix<-2). If ptr < ans then the argument length will become very big. If the call to longlong2str() is successful the pointer would have pointed to the character just after the the result in the destination string. modified: mysql-test/r/func_str.result mysql-test/t/func_str.test sql/item_strfunc.cc === modified file 'mysql-test/r/func_str.result' --- a/mysql-test/r/func_str.result 2010-03-26 05:49:35 +0000 +++ b/mysql-test/r/func_str.result 2010-11-25 09:02:19 +0000 @@ -2600,4 +2600,10 @@ ORDER BY QUOTE(t1.a); 1 1 DROP TABLE t1; +# +# Bug57132 conv function crashes, negative argument to memcpy +# +SELECT CONV(1,-2147483648,-2147483648); +CONV(1,-2147483648,-2147483648) + End of 5.1 tests === modified file 'mysql-test/t/func_str.test' --- a/mysql-test/t/func_str.test 2010-03-26 05:49:35 +0000 +++ b/mysql-test/t/func_str.test 2010-11-25 09:02:19 +0000 @@ -1362,4 +1362,9 @@ SELECT 1 FROM t1, t1 t2 ORDER BY QUOTE(t1.a); DROP TABLE t1; +--echo # +--echo # Bug57132 conv function crashes, negative argument to memcpy +--echo # +SELECT CONV(1,-2147483648,-2147483648); + --echo End of 5.1 tests === modified file 'sql/item_strfunc.cc' --- a/sql/item_strfunc.cc 2010-05-03 16:14:39 +0000 +++ b/sql/item_strfunc.cc 2010-11-25 09:02:19 +0000 @@ -2700,7 +2700,9 @@ String *Item_func_conv::val_str(String * from_base, &endptr, &err); } - ptr= longlong2str(dec, ans, to_base); + if (!(ptr= longlong2str(dec, ans, to_base))) + return &my_empty_string; + if (str->copy(ans, (uint32) (ptr-ans), default_charset())) return &my_empty_string; return str; --===============0576300876972744446== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/kristofer.pettersson@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: kristofer.pettersson@stripped\ # hk2b0vf7h2f9uxi1 # target_branch: file:///home/thek/bzr/mysql-5.1-bugteam/ # testament_sha1: 9c09232516aaebdcd6dbb70f7f6246c5288a88bb # timestamp: 2010-11-25 10:02:24 +0100 # base_revision_id: davi.arnaut@stripped\ # ibvsezsj0nth3bw9 # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWUWJNEMAAyRfgEAQeWf//1ot 7wC////0YAcXMr4DlQ7rMigoAkV4SSRplMg0mhp4inmQk8mnokZAA0aNBKTU0R6o9R/qExMI1AAA NAGQADmATATIwAjExMJhMENMTTASmlNCmyjynhJ6hpkMgGgA0GhoyA5gEwEyMAIxMTCYTBDTE0wE kgTQBDE0ptNMTRlPREaNT1AZA/UhbIfk9FOYgY1NNRJ4+dlmVmxWzUzKsqF7sS6YRlHwygElpiJo RVLRS8C30qkuaNIja/VLPgwNjzNKyEkkmlzhXXbJMJIsRWjcNaNRROnVn5br3HgbxCGdV5M7G+2p sq+X2ipQ/EPH0U1rTVUZPvJzuWtZVGaEqk3Ns9XdDwc70kE587oTeeCMuJZMUIb+Wy25uNFBvJd0 0F2+dHYKVhLjYIWTK7bRjZP2Lp4FfHu44FuAHalqGgZTl2w+wDCKSwj7lNyQrXbDUXD7pDhK8Kph uvRltfculY1UJQsKkKIzHgpQkta5xQH6vdvB5aEFzgDxkJ6ScDQgXCHLzaBhIxl2JQrpIypfMODC JqJQiNSzuHDFbm1HorBGRqFJlcVwDkvdy7ViD7seRfiS2RQvxm16vU6ZBARcq3xwhjjYp1JrEWKW 0Tv+XSgG2glBM35RMXlJv2kRGePMoK1xvW0YUSvE2jNqUEXsJFQaERG+jcatWkxFe0YabLcEAdWs pwFsKDMRabjwY5CLDwH8VgOtv2GDNbCmwI0GTBTWyPgLVa8iEdjFpHRVPaxuApS+0YhFoGruJZJS iZ0yE6gqSzk4MPwwqMo4tjEYmJYmEhGK6wiwMxcEygd8Evjcx0pttuxM3RCkRqfoSswB5mzoWBkT uuK7aBqC55eshrl8ZhJoJ8Cs2M9cTmRY/QLIgMdO1I80jN6HFg1WssoHHkW4GKoKBzr1RUtZI+0Y XWlApaG4ogOHkoYIrGcSJWbSv18RFxdM2NUyMXF5XOKVEs5haUkqSwxvjqssbYayJOzXsgIipyGk Ic+BI51l5ea3Up09Tx1JddVAnKSA5eKj9KRbpinGJtmhnd6JniaypPZCiAJ0hoPHMERQi3d7GzlZ eDsmnCaUzLYrEq/ovbBPSLhStOyEl75NgiEREMxqIEmqQ0hoCOS8PEPpDr+tt6uQN+PZwupsVD7C knQjgMuZ2O4WWHM6EzzPEY/96e/NJVWnsYQVekni+1+iozfHMYqytQZRD7rrIBUsO8L3KfOrx5y7 +5tAhl2HieOg0azUc6vAsKvXaXc+9+knJPLWbVKoiKN25xqSYfrqKjr6iBWZSJ5qk+5XZO+cyC0g wlSgH7JB5pgjMG4mJQeS15ZO8SZzMHEDDEiWopRg6kklmQXY0KvxZs6g5XVcvX7AyzWO2EA0hFAa FJ46vmaeJZwJYvrO6tXoWsUOxqAs9L8eK1XXPpLbtUjU/G0KRvIuwZot0+biYxKhdsbHh9A4JkSK mHuBZ7ob/BOQubqK1yr0oQ6qwP4qBOApJJcCitfFY2YttuW0rEdPIl5iPI2hDohWh0Mf7L5rqpkT k8+d2TtyXsRCXC1wdHjsw9CJOtmExA5kl6mjjDrW+Ye2rl49xDl6D4ANsgBk0FwLBEjzGWZhuSm5 dkDhsmwpTandkmlfT1C28zoPCBBNkFHNiLlfdnmiiAsHSKydC6i3McNJ8isJma/K1cbRy24jrsN5 wEX+9pvF19f6GYMt3ya7hsKmdrNQfmSQw0c4BgbNZUdViJMLiRkdYSd5Omb08ogF5bE39zW/wAMB mXFMnWhWqwyvMKqjoU8aphZZyI/vF5RKxzOcptODrU0mALlChRQUMDxQCLkyZlEooqLIZFRICa90 5OZFVSevTDZtTBsyHfQ5F70L6Lub0gs4MgYE3pUKCmfAlSK5VOWHCjPUarkH1x3smRAKfqCqirPG W2b+XtHmYLn7myJr1hxu5nI4k2HM5d3IThioaT8xKWJg8VGRgEkEs18OzycFaUrUwNc8/jQFcs9C acaURzTiUWGVZrjKmhXyrwTYS8zLo5KD5QspUi9cgpFtTu2k4sp0LmubMzNRyWU3oVbkqEKkVayI iGZzSDspW7Pn8gZ6Ym/ONqepfmJi4d1g9MdO+Yl6K01CadCeg9reeesvtCKI0CgkE1HyehmQPmyL 8kl4knmyjfifX8LvzmZGmsvdWGYMnITY6Hm5RvEQXvNpOYQg9Z6qTwEU9kFULQTLgymIvLDjiWJL z1ED6FpwEPqS8ita08bvZ6lhUQTUhbMJmWfHYXckU4UJBFiTRDA= --===============0576300876972744446==--