List:Commits« Previous MessageNext Message »
From:Gleb Shchepa Date:June 27 2008 5:59pm
Subject:bzr push into mysql-5.0 branch (gshchepa:2644 to 2645) Bug#35658, Bug#37492
View as plain text  
 2645 Gleb Shchepa	2008-06-27
      backport from 6.0
            
      Bug#35658 (An empty binary value leads to mysqld crash)
              
      Before this fix, the following token
        b''
      caused the parser to crash when reading the binary value from the empty string.
      The crash was caused by:
        ptr+= max_length - 1;
      because max_length is unsigned and was 0, causing an overflow.
              
      With this fix, an empty binary literal b'' is parsed as a binary value 0,
      in Item_bin_string.
modified:
  mysql-test/r/varbinary.result
  mysql-test/t/varbinary.test
  sql/item.cc

 2644 Matthias Leich	2008-06-25
      Fix for
      Bug#37492 timing bug in subselect.test
      + similar weaknesses found during testing
      + replace error numbers by error names
added:
  mysql-test/include/wait_condition.inc
modified:
  mysql-test/t/subselect.test

=== modified file 'mysql-test/r/varbinary.result'
--- a/mysql-test/r/varbinary.result	2007-03-09 21:29:02 +0000
+++ b/mysql-test/r/varbinary.result	2008-06-27 15:56:41 +0000
@@ -78,3 +78,34 @@ alter table t1 modify a varchar(255);
 select length(a) from t1;
 length(a)
 6
+select 0b01000001;
+0b01000001
+A
+select 0x41;
+0x41
+A
+select b'01000001';
+b'01000001'
+A
+select x'41', 0+x'41';
+x'41'	0+x'41'
+A	65
+select N'abc', length(N'abc');
+abc	length(N'abc')
+abc	3
+select N'', length(N'');
+	length(N'')
+	0
+select '', length('');
+	length('')
+	0
+select b'', 0+b'';
+b''	0+b''
+	0
+select x'', 0+x'';
+x''	0+x''
+	0
+select 0x;
+ERROR 42S22: Unknown column '0x' in 'field list'
+select 0b;
+ERROR 42S22: Unknown column '0b' in 'field list'

=== modified file 'mysql-test/t/varbinary.test'
--- a/mysql-test/t/varbinary.test	2006-12-21 23:38:34 +0000
+++ b/mysql-test/t/varbinary.test	2008-06-27 15:56:41 +0000
@@ -84,3 +84,31 @@ select length(a) from t1;
 alter table t1 modify a varchar(255);
 select length(a) from t1;
 
+#
+# Bug#35658 (An empty binary value leads to mysqld crash)
+#
+
+select 0b01000001;
+
+select 0x41;
+
+select b'01000001';
+
+select x'41', 0+x'41';
+
+select N'abc', length(N'abc');
+
+select N'', length(N'');
+
+select '', length('');
+
+select b'', 0+b'';
+
+select x'', 0+x'';
+
+--error ER_BAD_FIELD_ERROR
+select 0x;
+
+--error ER_BAD_FIELD_ERROR
+select 0b;
+

=== modified file 'sql/item.cc'
--- a/sql/item.cc	2008-04-21 22:53:12 +0000
+++ b/sql/item.cc	2008-06-27 15:56:41 +0000
@@ -5013,21 +5013,28 @@ Item_bin_string::Item_bin_string(const c
   if (!ptr)
     return;
   str_value.set(ptr, max_length, &my_charset_bin);
-  ptr+= max_length - 1;
-  ptr[1]= 0;                     // Set end null for string
-  for (; end >= str; end--)
+
+  if (max_length > 0)
   {
-    if (power == 256)
+    ptr+= max_length - 1;
+    ptr[1]= 0;                     // Set end null for string
+    for (; end >= str; end--)
     {
-      power= 1;
-      *ptr--= bits;
-      bits= 0;     
+      if (power == 256)
+      {
+        power= 1;
+        *ptr--= bits;
+        bits= 0;
+      }
+      if (*end == '1')
+        bits|= power;
+      power<<= 1;
     }
-    if (*end == '1')
-      bits|= power; 
-    power<<= 1;
+    *ptr= (char) bits;
   }
-  *ptr= (char) bits;
+  else
+    ptr[0]= 0;
+
   collation.set(&my_charset_bin, DERIVATION_COERCIBLE);
   fixed= 1;
 }
Thread
bzr push into mysql-5.0 branch (gshchepa:2644 to 2645) Bug#35658, Bug#37492Gleb Shchepa27 Jun