List:Commits« Previous MessageNext Message »
From:Alexey Kopytov Date:May 20 2009 8:30am
Subject:bzr commit into mysql-5.0-bugteam branch (Alexey.Kopytov:2748)
Bug#44796
View as plain text  
#At file:///Users/kaa/src/bzr/bugteam/bug44796/my50-bug44796/ based on revid:matthias.leich@stripped

 2748 Alexey Kopytov	2009-05-20
      Bug #44796:  valgrind: too many my_longlong10_to_str_8bit 
                   warnings after uncompressed_length 
       
      UNCOMPRESSED_LENGTH() did not validate its argument. In 
      particular, if the argument length was less than 4 bytes, 
      an uninitialized memory value was returned as a result. 
       
      Since the result of COMPRESS() is either an empty string or 
      a 4-byte length prefix followed by compressed data, the bug was 
      fixed by ensuring that the argument of UNCOMPRESSED_LENGTH() is 
      either an empty string or contains at least 5 bytes (as done in 
      UNCOMPRESS()). This is the best we can do to validate input 
      without decompressing. 
      modified:
        mysql-test/r/func_compress.result
        mysql-test/t/func_compress.test
        sql/item_strfunc.cc

per-file messages:
  mysql-test/r/func_compress.result
    Added a test case for bug #44796.
  mysql-test/t/func_compress.test
    Added a test case for bug #44796.
  sql/item_strfunc.cc
    Make sure that the argument of UNCOMPRESSED_LENGTH() contains 
    at least 5 bytes (as done in UNCOMPRESS()).
=== modified file 'mysql-test/r/func_compress.result'
--- a/mysql-test/r/func_compress.result	2006-10-13 14:09:22 +0000
+++ b/mysql-test/r/func_compress.result	2009-05-20 08:30:06 +0000
@@ -116,4 +116,19 @@ Warnings:
 Error	1259	ZLIB: Input data corrupted
 Error	1259	ZLIB: Input data corrupted
 drop table t1;
+CREATE TABLE t1 (c1 INT);
+INSERT INTO t1 VALUES (1), (1111), (11111);
+SELECT UNCOMPRESS(c1), UNCOMPRESSED_LENGTH(c1) FROM t1;
+UNCOMPRESS(c1)	UNCOMPRESSED_LENGTH(c1)
+NULL	NULL
+NULL	NULL
+NULL	825307441
+Warnings:
+Error	1259	ZLIB: Input data corrupted
+Error	1259	ZLIB: Input data corrupted
+Error	1259	ZLIB: Input data corrupted
+Error	1259	ZLIB: Input data corrupted
+Error	1256	Uncompressed data size too large; the maximum size is 104857600 (probably, length of uncompressed data was corrupted)
+EXPLAIN EXTENDED SELECT * FROM (SELECT UNCOMPRESSED_LENGTH(c1) FROM t1) AS s;
+DROP TABLE t1;
 End of 5.0 tests

=== modified file 'mysql-test/t/func_compress.test'
--- a/mysql-test/t/func_compress.test	2006-10-13 14:09:22 +0000
+++ b/mysql-test/t/func_compress.test	2009-05-20 08:30:06 +0000
@@ -82,4 +82,21 @@ select *, uncompress(a) from t1;
 select *, uncompress(a), uncompress(a) is null from t1;
 drop table t1;
 
+#
+# Bug #44796: valgrind: too many my_longlong10_to_str_8bit warnings after 
+#             uncompressed_length
+#
+
+CREATE TABLE t1 (c1 INT);
+INSERT INTO t1 VALUES (1), (1111), (11111);
+
+SELECT UNCOMPRESS(c1), UNCOMPRESSED_LENGTH(c1) FROM t1;
+
+# We do not need the results, just make sure there are no valgrind errors
+--disable_result_log
+EXPLAIN EXTENDED SELECT * FROM (SELECT UNCOMPRESSED_LENGTH(c1) FROM t1) AS s;
+--enable_result_log
+
+DROP TABLE t1;
+
 --echo End of 5.0 tests

=== modified file 'sql/item_strfunc.cc'
--- a/sql/item_strfunc.cc	2009-05-12 08:18:27 +0000
+++ b/sql/item_strfunc.cc	2009-05-20 08:30:06 +0000
@@ -3108,7 +3108,21 @@ longlong Item_func_uncompressed_length::
   if (res->is_empty()) return 0;
 
   /*
-    res->ptr() using is safe because we have tested that string is not empty,
+    If length is <= 4 bytes, data is corrupt. This is the best we can do
+    to detect garbage input without decompressing it.
+  */
+  if (res->length() <= 4)
+  {
+    push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_ERROR,
+                        ER_ZLIB_Z_DATA_ERROR,
+                        ER(ER_ZLIB_Z_DATA_ERROR));
+    null_value= 1;
+    return 0;
+  }
+
+ /*
+    res->ptr() using is safe because we have tested that string is at least
+    5 bytes long.
     res->c_ptr() is not used because:
       - we do not need \0 terminated string to get first 4 bytes
       - c_ptr() tests simbol after string end (uninitialiozed memory) which

Thread
bzr commit into mysql-5.0-bugteam branch (Alexey.Kopytov:2748)Bug#44796Alexey Kopytov20 May