List:Commits« Previous MessageNext Message »
From:Tor Didriksen Date:February 3 2011 8:10am
Subject:bzr commit into mysql-5.5 branch (tor.didriksen:3300) Bug#59632
View as plain text  
#At file:///export/home/didrik/repo/5.5-bug59632/ based on revid:georgi.kodinov@stripped

 3300 Tor Didriksen	2011-02-03
      Bug #59632 Assertion failed: arg_length > length
      
      The problem was overflow in max_length when we tried to des_decrypt()
      something which is not the output of des_encrypt()
     @ mysql-test/r/bug59632.result
        New test case.
     @ mysql-test/t/bug59632.test
        New test case.
     @ sql/item_strfunc.h
        Do not subtract the encrypt overhead (9U) if args[0] has length < 9
        (In unsigned arithmetic, (1-9) becomes a very large number)

    added:
      mysql-test/r/bug59632.result
      mysql-test/t/bug59632.test
    modified:
      sql/item_strfunc.h
=== added file 'mysql-test/r/bug59632.result'
--- a/mysql-test/r/bug59632.result	1970-01-01 00:00:00 +0000
+++ b/mysql-test/r/bug59632.result	2011-02-03 08:09:59 +0000
@@ -0,0 +1,8 @@
+CREATE TABLE t1(a int) engine=innodb;
+INSERT INTO t1 VALUES (1);
+SELECT DISTINCT
+convert((SELECT des_decrypt(2,1) AS a FROM t1 WHERE @a:=1), signed) as d
+FROM t1 ;
+d
+2
+DROP TABLE t1;

=== added file 'mysql-test/t/bug59632.test'
--- a/mysql-test/t/bug59632.test	1970-01-01 00:00:00 +0000
+++ b/mysql-test/t/bug59632.test	2011-02-03 08:09:59 +0000
@@ -0,0 +1,11 @@
+-- source include/have_innodb.inc
+-- source include/have_ssl_crypto_functs.inc
+
+CREATE TABLE t1(a int) engine=innodb;
+INSERT INTO t1 VALUES (1);
+
+SELECT DISTINCT
+convert((SELECT des_decrypt(2,1) AS a FROM t1 WHERE @a:=1), signed) as d
+FROM t1 ;
+
+DROP TABLE t1;

=== modified file 'sql/item_strfunc.h'
--- a/sql/item_strfunc.h	2011-01-17 12:26:13 +0000
+++ b/sql/item_strfunc.h	2011-02-03 08:09:59 +0000
@@ -1,7 +1,7 @@
 #ifndef ITEM_STRFUNC_INCLUDED
 #define ITEM_STRFUNC_INCLUDED
 
-/* Copyright (C) 2000-2003 MySQL AB
+/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -361,7 +361,9 @@ public:
   {
     maybe_null=1;
     /* 9 = MAX ((8- (arg_len % 8)) + 1) */
-    max_length = args[0]->max_length - 9;
+    max_length= args[0]->max_length;
+    if (max_length >= 9U)
+      max_length-= 9U;
   }
   const char *func_name() const { return "des_decrypt"; }
 };


Attachment: [text/bzr-bundle] bzr/tor.didriksen@oracle.com-20110203080959-jfys7vbsu4ct1y1i.bundle
Thread
bzr commit into mysql-5.5 branch (tor.didriksen:3300) Bug#59632Tor Didriksen3 Feb