MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:kgeorge Date:June 12 2007 8:02am
Subject:bk commit into 5.0 tree (gkodinov:1.2529) BUG#28934
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of kgeorge. When kgeorge does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-06-12 11:02:34+03:00, gkodinov@stripped +2 -0
  Bug #28934: server crash when receiving malformed com_execute packets
   Sometimes a parameter slot may not get a value because of the protocol
   data being plain wrong.
   Such cases should be detected and handled by returning an error.
   Fixed by checking data stream constraints where possible (like maximum
   length) and reacting to the case where a value cannot be constructed.

  sql/sql_prepare.cc@stripped, 2007-06-12 11:02:33+03:00, gkodinov@stripped +10 -0
    Bug #28934: 
     - check for a parameter slot not being set because 
        of wrong data
     - check if the length read from the stream is not
        greater than the maximum length of the field

  tests/mysql_client_test.c@stripped, 2007-06-12 11:02:33+03:00, gkodinov@stripped +83 -0
    Bug #28934: test case

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	gkodinov
# Host:	magare.gmz
# Root:	/home/kgeorge/mysql/work/B28934-5.0-opt

--- 1.202/sql/sql_prepare.cc	2007-05-15 12:56:04 +03:00
+++ 1.203/sql/sql_prepare.cc	2007-06-12 11:02:33 +03:00
@@ -562,6 +562,8 @@ void set_param_date(Item_param *param, u
 static void set_param_str(Item_param *param, uchar **pos, ulong len)
 {
   ulong length= get_param_length(pos, len);
+  if (length > len)
+    length= len;
   param->set_str((const char *)*pos, length);
   *pos+= length;
 }
@@ -731,6 +733,8 @@ static bool insert_params_withlog(Prepar
         if (read_pos >= data_end)
           DBUG_RETURN(1);
         param->set_param_func(param, &read_pos, data_end - read_pos);
+        if (param->state == Item_param::NO_VALUE)
+          DBUG_RETURN(1);
       }
     }
     res= param->query_val_str(&str);
@@ -767,6 +771,8 @@ static bool insert_params(Prepared_state
         if (read_pos >= data_end)
           DBUG_RETURN(1);
         param->set_param_func(param, &read_pos, data_end - read_pos);
+        if (param->state == Item_param::NO_VALUE)
+          DBUG_RETURN(1);
       }
     }
     if (param->convert_str_value(stmt->thd))
@@ -849,6 +855,8 @@ static bool emb_insert_params(Prepared_s
                               client_param->length ?
                               *client_param->length :
                               client_param->buffer_length);
+        if (param->state == Item_param::NO_VALUE)
+          DBUG_RETURN(1);
       }
     }
     if (param->convert_str_value(thd))
@@ -890,6 +898,8 @@ static bool emb_insert_params_withlog(Pr
                               client_param->length ?
                               *client_param->length :
                               client_param->buffer_length);
+        if (param->state == Item_param::NO_VALUE)
+          DBUG_RETURN(1);
       }
     }
     res= param->query_val_str(&str);

--- 1.228/tests/mysql_client_test.c	2007-06-06 23:29:48 +03:00
+++ 1.229/tests/mysql_client_test.c	2007-06-12 11:02:33 +03:00
@@ -15687,6 +15687,88 @@ end:
 
 
 /*
+  Bug#28934: server crash when receiving malformed com_execute packets
+*/
+
+static void test_bug28934()
+{
+  MYSQL *l_mysql;
+  my_bool error= 0;
+  my_ulonglong res;
+  MYSQL_BIND bind[5];
+  MYSQL_STMT *stmt;
+  int cnt;
+
+  if (!(l_mysql= mysql_init(NULL)))
+  {
+    myerror("mysql_init() failed");
+    DIE_UNLESS(1);
+  }
+  if (!(mysql_real_connect(l_mysql, opt_host, opt_user,
+                           opt_password, current_db, opt_port,
+                           opt_unix_socket, CLIENT_FOUND_ROWS)))
+  {
+    myerror("connection failed");
+    error= 1;
+    goto end;
+  }
+  l_mysql->reconnect= 1;
+  if (mysql_query(l_mysql, "drop table if exists t1"))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+  if (mysql_query(l_mysql, "create table t1(id int)"))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+  if (mysql_query(l_mysql, "insert into t1 values(1),(2),(3),(4),(5)"))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+  if (!(stmt= mysql_simple_prepare(l_mysql,
+                                   "select * from t1 where id in(?,?,?,?,?)")))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+
+  memset (&bind, 0, sizeof (bind));
+  for (cnt= 0; cnt < 5; cnt++)
+  {
+    bind[cnt].buffer_type= MYSQL_TYPE_LONG;
+    bind[cnt].buffer= (char*)&cnt;
+    bind[cnt].buffer_length= 0;
+  }
+  if(mysql_stmt_bind_param(stmt, bind))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+  stmt->param_count=2;
+  error= mysql_stmt_execute(stmt);
+  DIE_UNLESS (error != 0);
+  myerror(NULL);
+  error= 0;
+  if (mysql_query(l_mysql, "drop table t1"))
+  {
+    myerror(NULL);
+    error= 1;
+  }
+end:
+  mysql_close(l_mysql);
+  DIE_UNLESS(error == 0);
+}
+
+
+/*
   Read and parse arguments and MySQL options from my.cnf
 */
 
@@ -15968,6 +16050,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug24179", test_bug24179 },
   { "test_bug27876", test_bug27876 },
   { "test_bug28505", test_bug28505 },
+  { "test_bug28934", test_bug28934 },
   { 0, 0 }
 };
Thread
bk commit into 5.0 tree (gkodinov:1.2529) BUG#28934kgeorge12 Jun