2676 Gleb Shchepa 2008-06-27
backport to 5.1 from 6.0
Bug#35658 (An empty binary value leads to mysqld crash)
Before this fix, the following token
b''
caused the parser to crash when reading the binary value from the empty string.
The crash was caused by:
ptr+= max_length - 1;
because max_length is unsigned and was 0, causing an overflow.
With this fix, an empty binary literal b'' is parsed as a binary value 0,
in Item_bin_string.
modified:
mysql-test/r/varbinary.result
mysql-test/t/varbinary.test
sql/item.cc
2675 Matthias Leich 2008-06-25 [merge]
Upmerge 5.0 -> 5.1
added:
mysql-test/include/wait_condition.inc
renamed:
mysql-test/include/wait_condition.inc => mysql-test/include/wait_condition.inc.moved
modified:
mysql-test/t/subselect.test
=== modified file 'mysql-test/r/varbinary.result'
--- a/mysql-test/r/varbinary.result 2007-06-12 21:23:58 +0000
+++ b/mysql-test/r/varbinary.result 2008-06-27 10:23:40 +0000
@@ -95,3 +95,34 @@ table_28127_b CREATE TABLE `table_28127_
) ENGINE=MyISAM DEFAULT CHARSET=latin1
drop table table_28127_a;
drop table table_28127_b;
+select 0b01000001;
+0b01000001
+A
+select 0x41;
+0x41
+A
+select b'01000001';
+b'01000001'
+A
+select x'41', 0+x'41';
+x'41' 0+x'41'
+A 65
+select N'abc', length(N'abc');
+abc length(N'abc')
+abc 3
+select N'', length(N'');
+ length(N'')
+ 0
+select '', length('');
+ length('')
+ 0
+select b'', 0+b'';
+b'' 0+b''
+ 0
+select x'', 0+x'';
+x'' 0+x''
+ 0
+select 0x;
+ERROR 42S22: Unknown column '0x' in 'field list'
+select 0b;
+ERROR 42S22: Unknown column '0b' in 'field list'
=== modified file 'mysql-test/t/varbinary.test'
--- a/mysql-test/t/varbinary.test 2007-06-12 21:23:58 +0000
+++ b/mysql-test/t/varbinary.test 2008-06-27 10:23:40 +0000
@@ -104,3 +104,31 @@ show create table table_28127_b;
drop table table_28127_a;
drop table table_28127_b;
+#
+# Bug#35658 (An empty binary value leads to mysqld crash)
+#
+
+select 0b01000001;
+
+select 0x41;
+
+select b'01000001';
+
+select x'41', 0+x'41';
+
+select N'abc', length(N'abc');
+
+select N'', length(N'');
+
+select '', length('');
+
+select b'', 0+b'';
+
+select x'', 0+x'';
+
+--error ER_BAD_FIELD_ERROR
+select 0x;
+
+--error ER_BAD_FIELD_ERROR
+select 0b;
+
=== modified file 'sql/item.cc'
--- a/sql/item.cc 2008-05-20 07:38:17 +0000
+++ b/sql/item.cc 2008-06-27 10:23:40 +0000
@@ -5172,21 +5172,28 @@ Item_bin_string::Item_bin_string(const c
if (!ptr)
return;
str_value.set(ptr, max_length, &my_charset_bin);
- ptr+= max_length - 1;
- ptr[1]= 0; // Set end null for string
- for (; end >= str; end--)
+
+ if (max_length > 0)
{
- if (power == 256)
+ ptr+= max_length - 1;
+ ptr[1]= 0; // Set end null for string
+ for (; end >= str; end--)
{
- power= 1;
- *ptr--= bits;
- bits= 0;
+ if (power == 256)
+ {
+ power= 1;
+ *ptr--= bits;
+ bits= 0;
+ }
+ if (*end == '1')
+ bits|= power;
+ power<<= 1;
}
- if (*end == '1')
- bits|= power;
- power<<= 1;
+ *ptr= (char) bits;
}
- *ptr= (char) bits;
+ else
+ ptr[0]= 0;
+
collation.set(&my_charset_bin, DERIVATION_COERCIBLE);
fixed= 1;
}
| Thread |
|---|
| • bzr push into mysql-5.1 branch (gshchepa:2675 to 2676) Bug#35658 | Gleb Shchepa | 27 Jun |
