List:Commits« Previous MessageNext Message »
From:Tor Didriksen Date:January 27 2011 12:37pm
Subject:bzr commit into mysql-5.5 branch (tor.didriksen:3280) Bug#59632
View as plain text  
#At file:///export/home/didrik/repo/5.5-bug59632/ based on revid:mattias.jonsson@stripped

 3280 Tor Didriksen	2011-01-27
      Bug #59632 Assertion failed: arg_length > length
      
      The problem was overflow in max_length when we tried to des_decrypt()
      something which is not the output of des_encrypt()
     @ mysql-test/t/bug59632.test
        New test case.
     @ sql/item_strfunc.h
        In unsigned arithmetic, (1-9) becomes a very large number.

    added:
      mysql-test/t/bug59632.test
    modified:
      sql/item_strfunc.h
=== added file 'mysql-test/t/bug59632.test'
--- a/mysql-test/t/bug59632.test	1970-01-01 00:00:00 +0000
+++ b/mysql-test/t/bug59632.test	2011-01-27 12:37:11 +0000
@@ -0,0 +1,11 @@
+-- source include/have_innodb.inc
+-- source include/have_ssl_crypto_functs.inc
+
+CREATE TABLE t1(a int) engine=innodb;
+INSERT INTO t1 VALUES (1);
+
+SELECT DISTINCT
+convert((SELECT des_decrypt(2,1) AS a FROM t1 WHERE @a:=1), signed) as d
+FROM t1 ;
+
+DROP TABLE t1;

=== modified file 'sql/item_strfunc.h'
--- a/sql/item_strfunc.h	2011-01-17 12:26:13 +0000
+++ b/sql/item_strfunc.h	2011-01-27 12:37:11 +0000
@@ -361,7 +361,9 @@ public:
   {
     maybe_null=1;
     /* 9 = MAX ((8- (arg_len % 8)) + 1) */
-    max_length = args[0]->max_length - 9;
+    max_length= args[0]->max_length;
+    if (max_length >= 9U)
+      max_length-= 9U;
   }
   const char *func_name() const { return "des_decrypt"; }
 };


Attachment: [text/bzr-bundle] bzr/tor.didriksen@oracle.com-20110127123711-4yl79sqzdbziaj4v.bundle
Thread
bzr commit into mysql-5.5 branch (tor.didriksen:3280) Bug#59632Tor Didriksen27 Jan