MySQL Lists: commits: bk commit into 5.0 tree (andrey:1.2257) BUG#21311

List:	Commits	« Previous Message Next Message »
From:	ahristov	Date:	September 27 2006 7:23pm
Subject:	bk commit into 5.0 tree (andrey:1.2257) BUG#21311
View as plain text
Below is the list of changes that have just been committed into a local
5.0 repository of andrey. When andrey does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2006-09-27 21:23:17+02:00, andrey@stripped +3 -0
  Fix for bug#21311: Possible stack overrun if SP has non-latin1 name
    
  There was possible stack overrun in an edge case which handles invalid body of
  a SP in mysql.proc . That should be case when mysql.proc has been changed
  manually. Though, due to bug 21513, it can be exploited without having access
  to mysql.proc only being able to create a stored routine.

  mysql-test/r/sp.result@stripped, 2006-09-27 21:23:13+02:00, andrey@stripped +7 -0
    update result

  mysql-test/t/sp.test@stripped, 2006-09-27 21:23:13+02:00, andrey@stripped +13 -0
    add a test case for the bug

  sql/sp.cc@stripped, 2006-09-27 21:23:13+02:00, andrey@stripped +11 -1
    Fix stack overrun. This happen mostly when mysql.proc is damaged, though
    it's possible due to another bug which creates invalid SP body in mysql.proc
    (leading quote from a label being cut) to create stack overrun even without
    having direct access to mysql.proc

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	andrey
# Host:	example.com
# Root:	/work/mysql-5.0-runtime

--- 1.211/mysql-test/r/sp.result	2006-09-27 21:23:26 +02:00
+++ 1.212/mysql-test/r/sp.result	2006-09-27 21:23:26 +02:00
@@ -5394,4 +5394,11 @@ Procedure	sql_mode	Create Procedure
 bug21416		CREATE DEFINER=`root`@`localhost` PROCEDURE `bug21416`()
 show create procedure bug21416
 drop procedure bug21416|
+set names utf8|
+drop database if exists това_е_дълго_име_за_база_данни_нали|
+create database това_е_дълго_име_за_база_данни_нали|
+INSERT INTO mysql.proc VALUES ('това_е_дълго_име_за_база_данни_нали','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','PROCEDURE','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','SQL','CONTAINS_SQL','NO','DEFINER','','','bad_body','root@localhost',now(), now(),'','')|
+call това_е_дълго_име_за_база_данни_нали.това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго()|
+ERROR HY000: Failed to load routine това_е_дълго_име_за_база_данни_нали.това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго. The table mysql.proc is missing, corrupt, or contains bad data (internal code -6)
+drop database това_е_дълго_име_за_база_данни_нали|
 drop table t1,t2;

--- 1.199/mysql-test/t/sp.test	2006-09-27 21:23:26 +02:00
+++ 1.200/mysql-test/t/sp.test	2006-09-27 21:23:26 +02:00
@@ -6323,6 +6323,19 @@ call bug21416()|
 drop procedure bug21416|
 
 #
+# BUG#21311: Possible stack overrun if SP has non-latin1 name
+#
+set names utf8|
+--disable_warnings
+drop database if exists това_е_дълго_име_за_база_данни_нали|
+--enable_warnings
+create database това_е_дълго_име_за_база_данни_нали|
+INSERT INTO mysql.proc VALUES ('това_е_дълго_име_за_база_данни_нали','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','PROCEDURE','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','SQL','CONTAINS_SQL','NO','DEFINER','','','bad_body','root@localhost',now(), now(),'','')|
+--error ER_SP_PROC_TABLE_CORRUPT
+call това_е_дълго_име_за_база_данни_нали.това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго()|
+drop database това_е_дълго_име_за_база_данни_нали|
+
+#
 # BUG#NNNN: New bug synopsis
 #
 #--disable_warnings

--- 1.116/sql/sp.cc	2006-09-27 21:23:26 +02:00
+++ 1.117/sql/sp.cc	2006-09-27 21:23:26 +02:00
@@ -1633,7 +1633,17 @@ sp_cache_routines_and_add_tables_aux(THD
          */
         if (!thd->net.report_error)
         {
-          char n[NAME_LEN*2+2];
+          /*
+            SP allows full NAME_LEN chars thus he have to allocate enough
+            size in bytes. Otherwise there is stack overrun could happen
+            if multibyte sequence is `name`. `db` is still safe because the
+            rest of the server checks agains NAME_LEN bytes and not chars.
+            Hence, the overrun happens only if the name is in length > 32 and
+            uses multibyte (cyrillic, greek, etc.)
+
+            !! Change 3 with SYSTEM_CHARSET_MBMAXLEN when it's defined.
+          */
+          char n[NAME_LEN*3*2+2];
 
           /* m_qname.str is not always \0 terminated */
           memcpy(n, name.m_qname.str, name.m_qname.length);
Thread
• bk commit into 5.0 tree (andrey:1.2257) BUG#21311	ahristov	27 Sep