From: Martin Hansson Date: December 28 2010 8:26am Subject: bzr commit into mysql-5.1-bugteam branch (martin.hansson:3534) Bug#58165 List-Archive: http://lists.mysql.com/commits/127616 X-Bug: 58165 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1589285444==" --===============1589285444== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///data0/martin/bzrroot/bug58165/5.1bt-lazy_copy/ based on revid:sergey.glukhov@stripped 3534 Martin Hansson 2010-12-28 Bug#58165: "my_empty_string" gets modified and causes LOAD DATA to fail and other crashes Some string manipulating SQL functions use a shared string object intended to contain an immutable empty string. This objectt was used by the SQL function SUBSTRING_INDEX() to return an empty string when one argument was of the wrong datatype. If the string object was then modified by the sql function INSERT(), undefined behavior ensued. Fixed by instead modifying the string object representing the function's result value when SUBSTRING_INDEX() returns an empty string due to errors. Relevant code has also been documented. modified: mysql-test/r/func_str.result mysql-test/t/func_str.test sql/item_strfunc.cc sql/sql_string.cc sql/sql_string.h === modified file 'mysql-test/r/func_str.result' --- a/mysql-test/r/func_str.result 2010-12-14 16:08:25 +0000 +++ b/mysql-test/r/func_str.result 2010-12-28 08:26:14 +0000 @@ -2612,4 +2612,20 @@ CONVERT(('' IN (REVERSE(CAST(('') AS DEC 1 Warnings: Warning 1292 Truncated incorrect DECIMAL value: '' +# +# Bug#58165: "my_empty_string" gets modified and causes LOAD DATA to fail +# and other crashes +# +CREATE TABLE t1 ( a TEXT ); +SELECT 'aaaaaaaaaaaaaa' INTO OUTFILE 'bug58165.txt'; +SELECT insert( substring_index( 'a', 'a', 'b' ), 1, 0, 'x' ); +insert( substring_index( 'a', 'a', 'b' ), 1, 0, 'x' ) +x +Warnings: +Warning 1292 Truncated incorrect INTEGER value: 'b' +LOAD DATA INFILE 'bug58165.txt' INTO TABLE t1; +SELECT * FROM t1; +a +aaaaaaaaaaaaaa +DROP TABLE t1; End of 5.1 tests === modified file 'mysql-test/t/func_str.test' --- a/mysql-test/t/func_str.test 2010-12-14 16:08:25 +0000 +++ b/mysql-test/t/func_str.test 2010-12-28 08:26:14 +0000 @@ -1369,4 +1369,15 @@ DROP TABLE t1; SELECT '1' IN ('1', SUBSTRING(-9223372036854775809, 1)); SELECT CONVERT(('' IN (REVERSE(CAST(('') AS DECIMAL)), '')), CHAR(3)); +--echo # +--echo # Bug#58165: "my_empty_string" gets modified and causes LOAD DATA to fail +--echo # and other crashes +--echo # +CREATE TABLE t1 ( a TEXT ); +SELECT 'aaaaaaaaaaaaaa' INTO OUTFILE 'bug58165.txt'; +SELECT insert( substring_index( 'a', 'a', 'b' ), 1, 0, 'x' ); +LOAD DATA INFILE 'bug58165.txt' INTO TABLE t1; +SELECT * FROM t1; +DROP TABLE t1; + --echo End of 5.1 tests === modified file 'sql/item_strfunc.cc' --- a/sql/item_strfunc.cc 2010-11-11 10:25:23 +0000 +++ b/sql/item_strfunc.cc 2010-12-28 08:26:14 +0000 @@ -1305,8 +1305,10 @@ String *Item_func_substr_index::val_str( null_value=0; uint delimiter_length= delimiter->length(); if (!res->length() || !delimiter_length || !count) - return &my_empty_string; // Wrong parameters - + { + str_value.set("", 0, collation.collation); // Wrong parameters + return &str_value; + } res->set_charset(collation.collation); #ifdef USE_MB === modified file 'sql/sql_string.cc' --- a/sql/sql_string.cc 2010-07-09 12:00:17 +0000 +++ b/sql/sql_string.cc 2010-12-28 08:26:14 +0000 @@ -58,11 +58,33 @@ bool String::real_alloc(uint32 arg_lengt } -/* -** Check that string is big enough. Set string[alloc_length] to 0 -** (for C functions) -*/ +/** + Allocates a new buffer on the heap for this String. + + - If the String's internal buffer is privately owned and heap allocated, + one of the following is performed. + + - If the requested length is greater than what fits in the buffer, a new + buffer is allocated, data moved and the old buffer freed. + + - If the requested length is less or equal to what fits in the buffer, a + null character is inserted at the appropriate position. + - If the String does not keep a private buffer on the heap, such a buffer + will be allocated and the string copied accoring to its length, as found + in String::length(). + + For C compatibility, the new string buffer is null terminated. + + @param alloc_length The requested string size in characters, excluding any + null terminator. + + @retval false Either the copy operation is complete or, if the size of the + new buffer is smaller than the currently allocated buffer (if one exists), + no allocation occured. + + @retval true An error occured when attempting to allocate memory. +*/ bool String::realloc(uint32 alloc_length) { uint32 len=ALIGN_SIZE(alloc_length+1); @@ -196,6 +218,17 @@ bool String::copy() return FALSE; } +/** + Copies the internal buffer from str. If this String has a private heap + allocated buffer where new data does not fit, a new buffer is allocated + before copying and the old buffer freed. Character set information is also + copied. + + @param str The string whose internal buffer is to be copied. + + @retval false Success. + @retval true Memory allocation failed. +*/ bool String::copy(const String &str) { if (alloc(str.str_length)) === modified file 'sql/sql_string.h' --- a/sql/sql_string.h 2010-10-19 22:36:59 +0000 +++ b/sql/sql_string.h 2010-12-28 08:26:14 +0000 @@ -136,6 +136,16 @@ public: Alloced_length=0; str_charset=str.str_charset; } + + + /** + Points the internal buffer to the supplied one. The old buffer is freed. + @param str Pointer to the new buffer. + @param arg_length Length of the new buffer in characters, excluding any + null character. + @param cs Character set to use for interpreting string data. + @note The new buffer will not be null terminated. + */ inline void set(char *str,uint32 arg_length, CHARSET_INFO *cs) { free(); --===============1589285444== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/martin.hansson@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: martin.hansson@stripped\ # 89pkwzhescwz2qw2 # target_branch: file:///data0/martin/bzrroot/bug58165/5.1bt-\ # lazy_copy/ # testament_sha1: a715adc09c69e3d09dde2cf57a79aef6c1216de6 # timestamp: 2010-12-28 09:26:17 +0100 # base_revision_id: sergey.glukhov@stripped\ # epoilau29aftwat4 # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWfQ1ycUABbjfgGhwWff//3/n /sC////6YA0j7zIFTMcWFapbR2XaO0q13MK6AxRrVUogwlCmieiaGpg0p6njVPCTeppHtJqep6m1 DQGRoHqaeUElJphTJtTDSBGjSaPUAaaGQNBpoAABw00wQyGmmRkwgGmgDCaNMmABA0EiIICTCTGl T8InkZU9J+pmqaAwnqADQ2KaHDTTBDIaaZGTCAaaAMJo0yYAEDQSSCaACMSeKYJE8mCozIjJppjU NAA8pEFxUQx1vhfvuvIku9j84jE/FnOUeMrukU8Pt48fvnsC3405uVkgDN3aOHHBieiqqveQcI7n hX5Pjw4JsUuC0PhuQwxQF7yMHUqrpXoJbIvSzCf1qqHczhEepfUDRkqm0DNPFVHKEu/flbCjjpV2 8NUl2sS0HAA5IBhmSTHBZB0fUsV/UrC/cDXMd760WGzMPcj8EdCGNttjY2GAaf9Dqrx+caXVlE9T OzrgKcbVpFKESWxmJsqKrlbJjfYmROfCXufJD7kIqSB+8W9hDcEhInCTuLDdEjRKrNQd5WOkdJJI 2zJoIWJdSv0+NLnaZ6zoIWS2VRh+YfobMs3pS98eh614NV95Gcy3lFJkcCkxMcvhsxzyXoWyNMLZ awQVuRssUhTqSjVM3fLfyZNn9sLx+hV1ocGbNZnGxOvkTpNpZZXHzNvJrbfIwK4QsKbtUOr5XARt upnBTnjU0pCoU+Wey1pJthoi1tCNZWzzsLAvhbB8y5opnGjHEPiuWewP8MfoWwRsN+LN/Ao51g2k 8NeQlYxeauzwrWmz6FPLY02K+Tn8Gp2SV5I1WCcp101a3pD2Tbt8xt8y1trKbLKHXDBDny0fQQeo hypgn+0bbe9P5bmmUNpkJlQDpvCsmUD4lNxxgW0UKyLIwbUUqRbNGY2iTpQk7kyluaJ9oh1dFg+R ZCMxBXD0iIZk3iJuBUdfXs9A2g0FwliIKVMIqcDfMDynq6DGUuDzuiOiy8XtK/S/wIZsMWEsmBFN qJlFJVSJnOKA5nPbU/FyKKqUe5HT90wji0BI0UDpFyhGw42wihUTBFBEA0gbZESdtJFbvHYzLhUz v45GIliHApNtIIFgcRaOFiWGZSVZsRg7N9pCimN6B3ckgl9sR/dippqN839ldRXRkkuJhCOMU9JG WKkapOxsrbn2xrV7K6KEMdhiAQSuHB54bsHA6HlfqNKV1me6dUayXFeRI7hQpqZvCwRUToK8hNGv IWwN5whxI5yU6p5HJG4NzEhrmtuUEizMSF+RpctQS0eBtmVMs3PHaXGNE4PEmIpK8kO4/NcL4gVc Zzce/cVGVe3Q3HI94lUvMtMOK04PpjiXMTYkhQdG2iqCbCZP41D3mgw8bm4dsdmxG24uLCkgTp56 FRgSLif57Ld7yvovSRIs+sx6sTszCWCi4RcaQDMiRV52u3mXA6KdkF+jiTLK6O4qElSvZVnqJ4Kz NDpLmO8vbbOk4vCBNC4JmN/eQ7eJgsEpsrNZLIK6dSuhDN4OhX3C1mg3ilTx4eHSOLiD2lVkOuaO QsMa5TrbMwmmGLiQBZtgXzxpHUBQyeSOfOYtIFJXA4WJaDMZcKDE7D3YajE2GYtWk06bM9Y0TaSe gtfYRkZDZRac5GTrSNxIea1qkiXON5fU5JyGDsKh/LlvMBrmaxpTlolrgOkVJNcAXF5SPCRGfebh znlkCfWEsLZvH5YknlicWtYy1J8WECJBriD4RJsUOWgRInF7Cgudc4XMSxjoV26mhSiscDQvMFmw l26xWdF9bKDEzQfhvmdHGlodmI8UXJNM5EVFiBfB++5o4TPMce4XN6aWG2MbXuRzpEHH3o9fh7sf WjFJZ0TRT60j70fBH3FTXa22mhn2C+ZWp1OpIoVUNHxKHwDMYvvMoFPzF+L1JMYxhiNa7huAchiU UE4nENQjxIyELhbaIElC9FIQJhsryn9CcuMCFiWFBcM8YU5/EYLMkQExJxmOCwej8nF5SQrDM/MN dUao9EwDfTBq97CEBlR6eoR2Y2WVLTI4USrSJA1cEqPX1mot2Dvl7zkG1GYWaQ/1eIxLocxh7MUh ZrjmmXhS4DnCr8TtD3n3sfhyuETjEAoRJDUQXEe4RL5QSUvwHFwMgT0wFMTGITjpP8fOxJPHYKpU 0lNKb0BI1zYlgNta+XE1uWhpCubVrcnGUlI5YcIafX0nVwFhtGFBM4j3DRy2DzcQuOPo7hWON8ma llI5Rq2Zgn1FjTvXJgl8Whc4dBC8UB1nhlAdiWJOvtZxOrgccSBIxpPIchzIuXgLGuBmayJybC4d CyoKzUNKNCPErsbSRxg5mHweucBkGIpBxuqV5xLyL2bEcUwgGGDgY0w4oYLO/DI2vffBLNxOliUk czSlIvUt56m+cwZdfEUEXlthUq6Jn9BU9mHocKPB0nWkEvxfRVoiz9d4PJ0ctXeFcJVRheTBSNhG pCIMjAoMzoaVHccSg7jlyndTLnWMpKyZvms6eCRoRoRfdtYhmKJAWu0o1YEOM6gp8wl1Dt8XjmOn COkE6d3RzjfY5+UxCG9zsTXvyoW3FvKfvCZrAt26SUTedc/7Y9t14qa8DUp1JlHqOmD5qRVpxPsj tTSx9SizXWZppZsTMnLkT5++PbV+rUVAMhqApVQp+k+igk9NO7ddDzVQxWF609iaWdIA4oN5erlW kTootu+Iww5nN9Ajyx4jzodi5nA8Lhe6E5QLuGQjdcLVCPA0Tw+SP1IrRcyoJBo9QY837PRkoPS9 CAVTISsTIPFweRjAJ5hqUE6cio5nojpOamC9tEOQyVOtq4HU4srGGHVj7gVCiSn+A1TQ/Sb7gH82 DY2hs6ahUlsGmXgJWQJUHeMEtkZ8kiScMWd+I/Mdnw8UhtGoNdCj9M/GkcxwKxZElR4ZmQiM97mg 1JXKjEC1UZQ3S7rjEVjIgQZyQRxnnReyNzu/lGgDkwyTaU+hSgZgeB+vDY8Lj76ok/Dj1Ohkvcfy oSmuOk/A6BRhzO4uuXtuR0A91+vtEsvFY2AwxvcDlB4XB1KAJvZAIiuLYlK14mazgjJCGSPYYmZ1 alsbrR0+LXDMutpBB8WHQvKgXcRCAbyGBAOaNPQ1dhCKK0kPOY5y1x/Q9gmRw+jqE9KHS3E3CLes y1wV5mVS9irRgNVGsTVKKXMJV9DcvnEnnrczUOlwx5nVWGS3QmRtG+UlAkWDYiVBQRtLUlECIAvM K4emIwQQoaSbAWA7JZSYc5tML2IWuiwWY87hkAPOGlLlJoY0vt/9kpiKY889dugNoz2EcR+iz5ne WA5IY26TIxeQDAyO5fieZVYm3GEkf0a5dzRYaRCScHuf03KWijhecQvKtcquNnahDAm7Q68m+o3z zvD25HZ7eJpgjLovynV2tVlJU3Ifg0NKiXlrR9+xZkh9wlC+xMjaScnTi9WRjBLPtIKVJivAaGmO KFuyqJaGYluPAk1zIUDBsBso0QxP6nBRM1HV5BCHCYBhQzNlNFq8pbzVOE9kswv2+Cd8oHWHTaRa bksYE3hvokcjEErZKKripIC5IzJQlf5fnVUbiquhyHdzkVgD6j7HIqIzsflwcuY1EJ7ohmQ7RDVS CnXCmlJtE4K38TU6a+n99t+iS7jebvgOhsK8HrU5Q7mRoiGKyAqeQR67kvWFxgAcp9aP1ttttuux fnmBsg4LgAMTa3AWWw7/yhYBRIhNi8FwkOvLIPZTPic/p6MHJhSXM+itOd+f2hYpWwIl9F9wEqCt fY3aSRTEQ0FCD33MpNWXrJq1CYXdVsnkVIidFKMaFepbSwh9KUABqsoPNXo9eUYBGenZqUBvJx14 2zQuYtuAorwgPNtiGNJtTYxWammkJXwtZLxXccA5FVlMDjNXHnYrsHGRePccBiHpJaoR8UwVkyLc UbqA0yc9BawX+uc5MYzlGyd2KCPCK8jxGrROEujNXuXqTWrEx43KcDoczxPrgg2Esy9YKoyHpfBr 5xth+85Fegkwlz2b1VKtLfDccSJIr3mZCgHjkiwwNCvma4voTxoE6G14KC2J9w3NxCK6nqbRK/AC gSzS5e8Wl8dh/xdyRThQkPQ1ycU= --===============1589285444==--