MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:Alexey Kopytov Date:February 3 2009 5:19pm
Subject:bzr commit into mysql-5.0-bugteam branch (Alexey.Kopytov:2735)
Bug#41868
View as plain text  
#At file:///Users/kaa/src/bzr/bug41868/mysql-5.0-bugteam/ based on revid:davi.arnaut@stripped

 2735 Alexey Kopytov	2009-02-03
      Fix for bug #41868: crash or memory overrun with concat + upper, date_format
                          functions
            
      String::realloc() did not check whether the existing string data fits in the newly
      allocated buffer for cases when reallocating a String object with external buffer
      (i.e.alloced == FALSE).  This could lead to memory overruns in some cases.
modified:
  client/sql_string.cc
  mysql-test/r/func_str.result
  mysql-test/t/func_str.test
  sql/sql_class.cc
  sql/sql_string.cc

per-file messages:
  mysql-test/r/func_str.result
    Added a test case for bug #41868.
  mysql-test/t/func_str.test
    Added a test case for bug #41868.
  sql/sql_class.cc
    After each call to Item::send() in select_send::send_data() reset buffer to its
    original state to reduce unnecessary malloc() calls. See comments for bug #41868
    for detailed analysis.
  sql/sql_string.cc
    Fixed String::realloc() to check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer.
=== modified file 'client/sql_string.cc'
--- a/client/sql_string.cc	2007-03-28 17:46:42 +0000
+++ b/client/sql_string.cc	2009-02-03 17:19:01 +0000
@@ -72,26 +72,26 @@ bool String::realloc(uint32 alloc_length
     if (alloced)
     {
       if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
-      {
-	Ptr=new_ptr;
-	Alloced_length=len;
-      }
+        new_ptr[alloc_length]= 0;
       else
-	return TRUE;				// Signal error
+        return TRUE;				// Signal error
     }
     else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
     {
+      if (str_length > len - 1)
+        str_length= 0;
       if (str_length)				// Avoid bugs in memcpy on AIX
-	memcpy(new_ptr,Ptr,str_length);
-      new_ptr[str_length]=0;
-      Ptr=new_ptr;
-      Alloced_length=len;
+        memcpy(new_ptr, Ptr, str_length);
+      new_ptr[str_length]= 0;
       alloced=1;
     }
     else
       return TRUE;			// Signal error
+    Ptr= new_ptr;
+    Alloced_length= len;
   }
-  Ptr[alloc_length]=0;			// This make other funcs shorter
+  else
+    Ptr[alloc_length]= 0;
   return FALSE;
 }
 

=== modified file 'mysql-test/r/func_str.result'
--- a/mysql-test/r/func_str.result	2008-12-09 10:00:43 +0000
+++ b/mysql-test/r/func_str.result	2009-02-03 17:19:01 +0000
@@ -2181,4 +2181,10 @@ def					format(a, 2)	253	20	4	Y	0	2	8
 format(a, 2)
 1.33
 drop table t1;
+CREATE TABLE t1 (c DATE, aa VARCHAR(30));
+INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
+SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
+h	i
+31.12.2008	AAAAAA, aaaaaa
+DROP TABLE t1;
 End of 5.0 tests

=== modified file 'mysql-test/t/func_str.test'
--- a/mysql-test/t/func_str.test	2008-12-09 10:00:43 +0000
+++ b/mysql-test/t/func_str.test	2009-02-03 17:19:01 +0000
@@ -1159,4 +1159,13 @@ select format(a, 2) from t1;
 --disable_metadata
 drop table t1;
 
+#
+# Bug #41868: crash or memory overrun with concat + upper, date_format functions
+#
+
+CREATE TABLE t1 (c DATE, aa VARCHAR(30));
+INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
+SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
+DROP TABLE t1;
+
 --echo End of 5.0 tests

=== modified file 'sql/sql_class.cc'
--- a/sql/sql_class.cc	2009-01-15 09:36:34 +0000
+++ b/sql/sql_class.cc	2009-02-03 17:19:01 +0000
@@ -1047,6 +1047,11 @@ bool select_send::send_data(List<Item> &
       my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0));
       break;
     }
+    /*
+      Reset buffer to its original state, as it may have been altered in
+      Item::send().
+    */
+    buffer.set(buff, sizeof(buff), &my_charset_bin);
   }
   thd->sent_row_count++;
   if (!thd->vio_ok())

=== modified file 'sql/sql_string.cc'
--- a/sql/sql_string.cc	2007-12-19 13:49:04 +0000
+++ b/sql/sql_string.cc	2009-02-03 17:19:01 +0000
@@ -72,26 +72,26 @@ bool String::realloc(uint32 alloc_length
     if (alloced)
     {
       if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
-      {
-	Ptr=new_ptr;
-	Alloced_length=len;
-      }
+        new_ptr[alloc_length]= 0;
       else
-	return TRUE;				// Signal error
+        return TRUE;				// Signal error
     }
     else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
     {
+      if (str_length > len - 1)
+        str_length= 0;
       if (str_length)				// Avoid bugs in memcpy on AIX
-	memcpy(new_ptr,Ptr,str_length);
-      new_ptr[str_length]=0;
-      Ptr=new_ptr;
-      Alloced_length=len;
+        memcpy(new_ptr, Ptr, str_length);
+      new_ptr[str_length]= 0;
       alloced=1;
     }
     else
       return TRUE;			// Signal error
+    Ptr= new_ptr;
+    Alloced_length= len;
   }
-  Ptr[alloc_length]=0;			// This make other funcs shorter
+  else
+    Ptr[alloc_length]= 0;
   return FALSE;
 }
 

Thread
bzr commit into mysql-5.0-bugteam branch (Alexey.Kopytov:2735)Bug#41868Alexey Kopytov3 Feb