From: Alexander Barkov Date: February 10 2011 9:55am Subject: bzr commit into mysql-5.5 branch (alexander.barkov:3321) Bug#58036 List-Archive: http://lists.mysql.com/commits/130993 X-Bug: 58036 Message-Id: <201102100955.p1A9tt9T018193@bar.myoffice.izhnet.ru> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4991412919329346436==" --===============4991412919329346436== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///home/bar/mysql-bzr/mysql-5.5.b58036v2/ based on revid:georgi.kodinov@stripped 3321 Alexander Barkov 2011-02-10 Bug#58036 client utf32, utf16, ucs2 should be disallowed, they crash server Problem: ucs2 was correctly disallowed in "SET NAMES" only, while mysql_real_connect() and mysql_change_user() still allowed to use ucs2, which made server crash. Fix: disallow ucs2 in mysql_real_connect() and mysql_change_user(). @ sql/set_var.cc Using new function. @ sql/sql_acl.cc - Return error if character set initialization failed - Getting rid of pointer aliasing: Initialize user_name to NULL, to avoid double free(). @ sql/sql_connect.cc - in case of unsupported client character set send error and return true - in case of success return false @ sql/sql_connect.h - changing return type for thd_init_client_charset() to bool, to return errors to the caller @ sql/sql_parse.h - introducing a new function, to reuse in all places where we need to check client character set. @ tests/mysql_client_test.c Adding test modified: sql/set_var.cc sql/sql_acl.cc sql/sql_connect.cc sql/sql_connect.h sql/sql_parse.h tests/mysql_client_test.c === modified file 'sql/set_var.cc' --- a/sql/set_var.cc 2011-02-02 18:13:28 +0000 +++ b/sql/set_var.cc 2011-02-10 09:50:45 +0000 @@ -776,7 +776,7 @@ int set_var_password::update(THD *thd) int set_var_collation_client::check(THD *thd) { /* Currently, UCS-2 cannot be used as a client character set */ - if (character_set_client->mbminlen > 1) + if (!is_supported_parser_charset(character_set_client)) { my_error(ER_WRONG_VALUE_FOR_VAR, MYF(0), "character_set_client", character_set_client->csname); === modified file 'sql/sql_acl.cc' --- a/sql/sql_acl.cc 2011-01-14 15:48:11 +0000 +++ b/sql/sql_acl.cc 2011-02-10 09:50:45 +0000 @@ -7799,7 +7799,8 @@ public: Thd_charset_adapter(THD *thd_arg) : thd (thd_arg) {} bool init_client_charset(uint cs_number) { - thd_init_client_charset(thd, cs_number); + if (thd_init_client_charset(thd, cs_number)) + return true; thd->update_charset(); return thd->is_error(); } @@ -8929,9 +8930,8 @@ server_mpvio_initialize(THD *thd, MPVIO_ mpvio->auth_info.host_or_ip= thd->security_ctx->host_or_ip; mpvio->auth_info.host_or_ip_length= (unsigned int) strlen(thd->security_ctx->host_or_ip); - mpvio->auth_info.user_name= thd->security_ctx->user; - mpvio->auth_info.user_name_length= thd->security_ctx->user ? - (unsigned int) strlen(thd->security_ctx->user) : 0; + mpvio->auth_info.user_name= NULL; + mpvio->auth_info.user_name_length= 0; mpvio->connect_errors= connect_errors; mpvio->status= MPVIO_EXT::FAILURE; === modified file 'sql/sql_connect.cc' --- a/sql/sql_connect.cc 2010-12-15 22:59:21 +0000 +++ b/sql/sql_connect.cc 2011-02-10 09:50:45 +0000 @@ -370,8 +370,23 @@ void reset_mqh(LEX_USER *lu, bool get_th } -void thd_init_client_charset(THD *thd, uint cs_number) +/** + Set thread character set variables from the given ID + + @param thd thread handle + @param cs_number character set and collation ID + + @retval 0 OK; character_set_client, collation_connection and + character_set_results are set to the new value, + or to the default global values. + + @retval 1 error, e.g. the given ID is not supported by parser. + Corresponding SQL error is sent. +*/ + +bool thd_init_client_charset(THD *thd, uint cs_number) { + CHARSET_INFO *cs; /* Use server character set and collation if - opt_character_set_client_handshake is not set @@ -380,10 +395,10 @@ void thd_init_client_charset(THD *thd, u - client character set doesn't exists in server */ if (!opt_character_set_client_handshake || - !(thd->variables.character_set_client= get_charset(cs_number, MYF(0))) || + !(cs= get_charset(cs_number, MYF(0))) || !my_strcasecmp(&my_charset_latin1, global_system_variables.character_set_client->name, - thd->variables.character_set_client->name)) + cs->name)) { thd->variables.character_set_client= global_system_variables.character_set_client; @@ -394,10 +409,18 @@ void thd_init_client_charset(THD *thd, u } else { + if (!is_supported_parser_charset(cs)) + { + /* Disallow non-supported parser character sets: UCS2, UTF16, UTF32 */ + my_error(ER_WRONG_VALUE_FOR_VAR, MYF(0), "character_set_client", + cs->csname); + return true; + } thd->variables.character_set_results= thd->variables.collation_connection= - thd->variables.character_set_client; + thd->variables.character_set_client= cs; } + return false; } === modified file 'sql/sql_connect.h' --- a/sql/sql_connect.h 2010-09-20 14:17:32 +0000 +++ b/sql/sql_connect.h 2011-02-10 09:50:45 +0000 @@ -33,7 +33,7 @@ void reset_mqh(LEX_USER *lu, bool get_th bool check_mqh(THD *thd, uint check_command); void time_out_user_resource_limits(THD *thd, USER_CONN *uc); void decrease_user_connections(USER_CONN *uc); -void thd_init_client_charset(THD *thd, uint cs_number); +bool thd_init_client_charset(THD *thd, uint cs_number); bool setup_connection_thread_globals(THD *thd); int check_user(THD *thd, enum enum_server_command command, === modified file 'sql/sql_parse.h' --- a/sql/sql_parse.h 2010-08-31 09:59:51 +0000 +++ b/sql/sql_parse.h 2011-02-10 09:50:45 +0000 @@ -197,4 +197,10 @@ check_table_access(THD *thd, ulong requi bool check_global_access(THD *thd, ulong want_access); +inline bool is_supported_parser_charset(CHARSET_INFO *cs) +{ + return test(cs->mbminlen == 1); +} + + #endif /* SQL_PARSE_INCLUDED */ === modified file 'tests/mysql_client_test.c' --- a/tests/mysql_client_test.c 2010-12-29 00:26:31 +0000 +++ b/tests/mysql_client_test.c 2011-02-10 09:50:45 +0000 @@ -19289,6 +19289,72 @@ static void test_bug47485() /* + Bug#58036 client utf32, utf16, ucs2 should be disallowed, they crash server +*/ +static void test_bug58036() +{ + MYSQL *conn; + DBUG_ENTER("test_bug47485"); + myheader("test_bug58036"); + + /* Part1: try to connect with ucs2 client character set */ + conn= mysql_client_init(NULL); + mysql_options(conn, MYSQL_SET_CHARSET_NAME, "ucs2"); + if (mysql_real_connect(conn, opt_host, opt_user, + opt_password, opt_db ? opt_db : "test", + opt_port, opt_unix_socket, 0)) + { + if (!opt_silent) + printf("mysql_real_connect() succeeded (failure expected)\n"); + mysql_close(conn); + DIE(); + } + + if (!opt_silent) + printf("Got mysql_real_connect() error (expected): %s (%d)\n", + mysql_error(conn), mysql_errno(conn)); + DIE_UNLESS(mysql_errno(conn) == ER_WRONG_VALUE_FOR_VAR); + mysql_close(conn); + + + /* + Part2: + - connect with latin1 + - then change client character set to ucs2 + - then try mysql_change_user() + */ + conn= mysql_client_init(NULL); + mysql_options(conn, MYSQL_SET_CHARSET_NAME, "latin1"); + if (!mysql_real_connect(conn, opt_host, opt_user, + opt_password, opt_db ? opt_db : "test", + opt_port, opt_unix_socket, 0)) + { + if (!opt_silent) + printf("mysql_real_connect() failed: %s (%d)\n", + mysql_error(conn), mysql_errno(conn)); + mysql_close(conn); + DIE(); + } + + mysql_options(conn, MYSQL_SET_CHARSET_NAME, "ucs2"); + if (!mysql_change_user(conn, opt_user, opt_password, NULL)) + { + if (!opt_silent) + printf("mysql_change_user() succedded, error expected!"); + mysql_close(conn); + DIE(); + } + + if (!opt_silent) + printf("Got mysql_change_user() error (expected): %s (%d)\n", + mysql_error(conn), mysql_errno(conn)); + mysql_close(conn); + + DBUG_VOID_RETURN; +} + + +/* Bug#49972: Crash in prepared statements. The following case lead to a server crash: @@ -19770,6 +19836,7 @@ static struct my_tests_st my_tests[]= { { "test_bug42373", test_bug42373 }, { "test_bug54041", test_bug54041 }, { "test_bug47485", test_bug47485 }, + { "test_bug58036", test_bug58036 }, { "test_bug57058", test_bug57058 }, { 0, 0 } }; --===============4991412919329346436== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/alexander.barkov@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: alexander.barkov@stripped\ # a4i0i08vmf4ewpqx # target_branch: file:///home/bar/mysql-bzr/mysql-5.5.b58036v2/ # testament_sha1: 96ed761e86e007d1998cf34b4a79ced927588d43 # timestamp: 2011-02-10 12:55:55 +0300 # base_revision_id: georgi.kodinov@stripped\ # uz4ib7uq120rr2vp # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWaOpD2EABx7/gFK4IgB6d/// /+//pL////5gDofHlbhY4RU5C2sygxsy05ORqzNaNDUqKQpUdOEoiGgmVPKeaNGgaEbRJsoBoGgB o9Ro8oAeoJSaRo1PTJqYRTyZTRkZADE0NAaaNAABoA4yYJoZDIyMmhoA0GRhANBo0yGIaACRERGJ Mmmp+oE0ek1P0mmQCZMQ0aaaA0GIYNQ4yYJoZDIyMmhoA0GRhANBo0yGIaACSQBBNNA0EwgJoT0R hTaMpoaGmhoADIiELqKI5QRFTjUrGXU9vBnaFegSBr+CrPVkyVacmWbKvFk7SAGsGb+T+cJGHXW2 bdu6+fE1uSdtlJ2UcUffS4SKyF+TfEIx2h1UcPYI8QMGWyNH9Ls9xKRIbMyHM+Vic9X8pcYqnBxy bTF+VscKpzIE5kH+5TLGb1sTcxWw31nOVHM7fqIyut05ZZzUSAQmYSS66JIJMC1Ne4YBmdjP8zwJ Xslpa5OqcEEL2IPesDNdQxw4Pw9RzFDwCfILcE2xtttIbbWc2/Jyguq9eeuax826c6dCRFtDEF0I 23TlRqshutzmHk3NONVOlauXkZRq6LZD2nx0diTbEcDRy6fLauoVa9b7dlLbfu2pw2OPkXBMPZpc xzMYxySwy52ECxVxUPx/nGNtSFiGb/FmLpVsswqUhTcKt249YVLUwVEm9Y/0k0lGAkFKJlzl3HZu 2PSNWQgUFyMSybt0RvNpXLdBo7jIQYBOgR0p7GiDx0aK0RbXXErAYwMTzoc5I1vwyyqiCWwmTO1v roMhHKs8Fwg4mGpmTHPWUwUxc1pWOmvYzujVSXhZVMd7w+lAaV611+DZso54d+CdFWBNqm2MSxKU ubH6Jb7nolYqzmSL9wxkBtxDGgIIGuUhQC2kezjlPJlIYxj4v0X6lKNHYCFVGtUJZuPKHA4dOuSN p7TXijJuQgpdZW3vcBY8ibWQ4yOd2tQWXQGl9Si3vqH1HsZfDFMyPq8ble2Ax6bLdy1EsdCl04Sf JqJpD4A6yBqfMeUXxQeJ3AeYPWgTzQLaczqVneAO8Dzh3GBgZ9NuFCZtuQ4JusXXSzKTW33ZP7+z E8WigIo1M4ZycOKWcRmSQ9hkxMWs7EdfHzuGLJu5BXYdoGm3v445UJaWgkcs2D3uc3wySWBKfhIh AZCkiyjKDQhpO3hNZbWwIgAdlhRcRSpITKVT5unCAWqbbjekmpYSphbgBixgDoQqaywB6x+B1yI0 lYAWpy3VQtTW3bMljmZl3PNbTPlpWmzKKQBlQZ34QEE/ffTeZPmsKIQ5MpFtXQGCDE6fktBEmbbq 3xdojPY+GymDh4tBDAbA9uLQWs3gUwpkScH5a32anEtBXvXlhTQM4a38W7AbaMS3KKaxhgbrlZIS ASFLxNBiXZmmqkBuBfGvbtSm9TPa1bXIm/QLcLgGLDZYglxppI3POLGSwYdNgDBriDqlvKx0CTpV oZyeJAiYbddIYlymTjI5X3uKkc47XwcgzlxgO+Wc7fQZ4oqvMn1vjlHiETnfGY+gaTUMnbokTHr6 GaMNe/MEYkA3Ejdwo8UaPGWdliZEjElFlaQcnjOU10sLipC68ea9MMhKwvQ1IbBM79bmMhmmNzAx LmDxxkC2ZkpqIgsILzEKk8l8BgAW17yrmNxaRxtOLVzYxOHJsiN91B+GEXWpWDtEDw4POopiAQOV FCog6V3zqmODuWZ6NodJAOJ82oA0j1FhwXCkK2DEzEUJmBrc+YpMfcbcQsoLWvE9hpB0TnlZWasV 00mBVOpxOWYcXYMTSdwfYa3kbFDQ5UkjD8cDQNAeSV4RIFnmcSGjgYl0Vs0gZD8DEqMYmJiZ0Gbq njSwrmiz2IVJIqMOYrY8mR9KKbHrTJl5Fco6xIlZFqdBTOTEviBQTtJUG1jSSqHmHkHnMhppx195 orZmZtmrYbZGgbUlAn2znStRx2dVKzNoVsGsq4tGdeNAgGVhtcOJjpGFoA6NJPc6Li4dhNrn2lTN ZexGVJzHUMw+FCIA57lvL8nkC1oXM6xi9h9K5yREYqQIkiBt1W9Mx9Bq8eGbnTHOjDIe8k974YZC dCT3pQi8BoNFKaCM2uC86hbIofK14Wg9z9unwpbPrMvJheRO200yRYySQIabeU1+YXAt5qgHduYk QHh7nvNQM9qPB0ZzqNtg02P0F32Vjyv5r4W/6XjqXpw2v+WGT863V1+PjYBEyfweXkC1zRlmwflC oantxB5yN/ZNCEEOYgmCosap2cqT2w1DH2m91R47bq2IpeX2/iPReRKtPXsqr0ZTZTc2m4xHoIaj 4EkV2xND0twvSFV8biEcN6mhnGzzByIYn97GMRAC54CA+5qCWLjF3SDoCRFq7iLUqKqISc2VRKA+ kgnCmJktXqJge4YXxLV7hiBT8x8D6AD4GFDg8hRxHA/lOWkzeraCxBAtLGHGZL8vmGDTRWgOTwnJ VL5HqSYXx/7ydrTttw5laWlx1pHTmPmjrED0HZqoD0LaSZJPPLUgPuggkB+J+3EvWiS4LPxXRs88 /A5bji3jeE0BpMN/IzRfzDi8HvQzlhjxQnVCgFI8RmokLZJgQrjtDeNQ7pFmmLeUta0IJxywoHfU Ak9Q+Zw4YNZrhuMxEyNenadB/AibTFfeGAK4gpFhmfcPZ5aGfo1uoTIOP0uv1xAfdjfXqBwJVFYC wGiDKIW/eIPXQKgDCJ+D+OZBzVsqwezOhGZCekab53zDo6aXMkExEQHzXGWzDDlvFuMvW8jvrwJn M9kyN4DrAOg/zFpJCvBwXBw4BcfgUHEvt1Ox2zvUWQDUPYcEoT6xUB+t2MDZx3z1draDfEV7QKO8 XvM0vQ/yfreiBfUBZ4A4R8k2FOmnImqTU2qJseseMRjFosxnZuCKJaNsjEFtiogiwsNZkMk4u7Gh wQGkGlWzfvzDuTkPedWqb6bHQxSlF7RM6TsLG43IWXZpX1e0sLpaO6TmFuhEVBTVOaUSJisUAWiu O6ZKm7TdupAEyKiY2QIOKkiaMI5g2CYMxlXbuuNGinXvQmybQ9LSNI2lhHw+EgRvXiAXiDP5DXIW kzZwXoW+KOsDvXdCBBhyNZQA8DvNficTsPSRLTE0MXd5alOWwMaGcrDoE1CRiZoUMKNTmUVScuEh LqHdAorD2yHIfvBtghhdxeK/jzOwXOcSI2CH8UZizC8iRTPGUUyJXGWUJUEtGaZMGYEGo7JcVDaf yjtBDQR6dwvIAgAc4lwYjhvCKnDTHZk5seWhCawEU2e9gZMzckvCOAr2BdRkirmKCY9CCey8t3V0 0g+Iq30iLkaNKO6fZxpwLwvZkmZlW5N50zA5ApHKFIpatnU0ukoi1wzmehM1dhCd43oOLjvFwEGJ 6zodDHmzDmzCqDI7g1IJOB6QSSZCXjx9sjWdWsX0NcAmEnb9b0Tge68QTBDTZSbsxHJWuNWJRFop EnNyeV6rXlghZGVr36WViPbNI4WnQA9WrlyRd5IrVK5G7MQM/8XyZcL2M88wdC54Xy+RAqlLe9ib 5pcQyNslksJdOkOAgkHAaZ64J4Hdx8zsBNblYMXsrUFg4QWOZEGSjUrvtKoFkyl/OQgtEjtDEFwZ SguVEoorMoVGJJiaYwMEQs5ebDt8Rr2AtAUHnb2ophrHFwnmhSO89GkPE4E3JCvRmYRZouqkgork W+MHUXS2usiEYqgtzohHvAWKD5lvFJZvwnig1UWSPWfE2R8vricIiZATFIOPES16TycJgNgOGF9c kunQeDV7kfScypdYa0u5K5HUAdR6j51j58AF3072PeWFq3I+s+3VoSEuo0IRaaS8uMwSG0MbGs8A QMTBpNpBAMdabBkj7IgKKEyBjLuVxBXRneZJW98Uk5+5G0bkNu8HJXCwKl1Y5kQEHWc6LgjFBHAN SPVym5mwsBedXmcAdyAYxihmRQrJkZ6FFa6+J5ZzrfRbI4ENgOqsaKbNvKO9FwU1EUQMGt2REgPQ jyePvlN4vWQKNWiqNHrrtIJFoF0M0yXiwbbbe3gjnwRWtCiSmZIhuREQzOSiWroODSMI5VzoHjk3 MdldepZCna0hZOvG2pHoIsIRJuDUDllBMeJJEsgKAU6zZZXLvWolZGwqHAKQGibRQhikIRIRIUVQ ZScBsZGfWNnBzmGxZCzzRmDuwPY8s+r0n0SpaDtD6fEjd3ryNWO+SYvFse+n2ZwXceho42INiHoy edWaIGDwUoXzbtMkvPp5Fy7SwXIa22bh3l9xrRI+YmejbdqQw87Sb0rF8i7gg2Smgb9Ba4GJnaj7 LjwWHXwcki8sLgb48TSslhUxQe8AbXvJK0cSGcLR0AZSENmgoOiqjtCPAJDSozWB7veMyF6w0qog uIe85QDRdqHoUCQ446TmzmIHMq4Jnqgmt+fi9AEg5a1sI4aMRgLjyjrNM5g5S7hIjEUmFNeMZxVg qNX/i7kinChIUdSHsIA= --===============4991412919329346436==--