MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:Georgi Kodinov Date:April 13 2009 1:47pm
Subject:bzr commit into mysql-5.0-bugteam branch (joro:2724) Bug#35087
View as plain text  
#At file:///home/kgeorge/mysql/work/B35087-5.0-bugteam/ based on revid:luis.soares@strippedageh6mbb

 2724 Georgi Kodinov	2009-04-13
      Bug #35087: Inserting duplicate values at one time with DES_ENCRYPT leads to wrong results
      
      3 problems found with DES_ENCRYPT/DES_DECRYPT :
      1. The max length was not calculated properly. Fixed in fix_length_and_dec()
      2. DES_ENCRYPT had a side effect of sometimes reallocating and changing the value of its
      argument. Fixed by explicitly pre-allocating the necessary space to pad the argument with
      trailing '*' (stars) when calculating the DES digest.
      3. in DES_ENCRYPT the string buffer for the result value was not reallocated to the 
      correct size and only string length was assigned to it. Fixed by making sure there's 
      enough space to hold the result.
     @ mysql-test/r/func_des_encrypt.result
        Bug #35087: test case
     @ mysql-test/t/func_des_encrypt.test
        Bug #35087: test case
     @ sql/item_strfunc.cc
        Bug #35087: proper memory handling for des_encrypt
     @ sql/item_strfunc.h
        Bug #35087: proper maximum length for DES_ENCRYPT/DES_DECRYPT.

    modified:
      mysql-test/r/func_des_encrypt.result
      mysql-test/t/func_des_encrypt.test
      sql/item_strfunc.cc
      sql/item_strfunc.h
=== modified file 'mysql-test/r/func_des_encrypt.result'
--- a/mysql-test/r/func_des_encrypt.result	2005-07-07 18:49:44 +0000
+++ b/mysql-test/r/func_des_encrypt.result	2009-04-13 13:47:53 +0000
@@ -1,3 +1,37 @@
 select des_encrypt('hello');
 des_encrypt('hello')
 ��2nV��
+#
+# Bug #11643: des_encrypt() causes server to die
+#
+CREATE TABLE t1 (des VARBINARY(200) NOT NULL DEFAULT '') ENGINE=MyISAM;
+INSERT INTO t1 VALUES ('1234'), ('12345'), ('123456'), ('1234567');
+UPDATE t1 SET des=DES_ENCRYPT('1234');
+SELECT LENGTH(des) FROM t1;
+LENGTH(des)
+9
+9
+9
+9
+SELECT DES_DECRYPT(des) FROM t1;
+DES_DECRYPT(des)
+1234
+1234
+1234
+1234
+SELECT 
+LENGTH(DES_ENCRYPT('1234')), 
+LENGTH(DES_ENCRYPT('12345')), 
+LENGTH(DES_ENCRYPT('123456')), 
+LENGTH(DES_ENCRYPT('1234567'));
+LENGTH(DES_ENCRYPT('1234'))	LENGTH(DES_ENCRYPT('12345'))	LENGTH(DES_ENCRYPT('123456'))	LENGTH(DES_ENCRYPT('1234567'))
+9	9	9	9
+SELECT 
+DES_DECRYPT(DES_ENCRYPT('1234')), 
+DES_DECRYPT(DES_ENCRYPT('12345')), 
+DES_DECRYPT(DES_ENCRYPT('123456')), 
+DES_DECRYPT(DES_ENCRYPT('1234567'));
+DES_DECRYPT(DES_ENCRYPT('1234'))	DES_DECRYPT(DES_ENCRYPT('12345'))	DES_DECRYPT(DES_ENCRYPT('123456'))	DES_DECRYPT(DES_ENCRYPT('1234567'))
+1234	12345	123456	1234567
+DROP TABLE t1;
+End of 5.0 tests

=== modified file 'mysql-test/t/func_des_encrypt.test'
--- a/mysql-test/t/func_des_encrypt.test	2007-03-05 09:03:42 +0000
+++ b/mysql-test/t/func_des_encrypt.test	2009-04-13 13:47:53 +0000
@@ -9,3 +9,31 @@
 select des_encrypt('hello');
 
 # End of 4.1 tests
+
+--echo #
+--echo # Bug #11643: des_encrypt() causes server to die
+--echo #
+
+CREATE TABLE t1 (des VARBINARY(200) NOT NULL DEFAULT '') ENGINE=MyISAM;
+
+INSERT INTO t1 VALUES ('1234'), ('12345'), ('123456'), ('1234567');
+
+UPDATE t1 SET des=DES_ENCRYPT('1234');
+
+SELECT LENGTH(des) FROM t1;
+SELECT DES_DECRYPT(des) FROM t1;
+
+SELECT 
+ LENGTH(DES_ENCRYPT('1234')), 
+ LENGTH(DES_ENCRYPT('12345')), 
+ LENGTH(DES_ENCRYPT('123456')), 
+ LENGTH(DES_ENCRYPT('1234567'));
+SELECT 
+ DES_DECRYPT(DES_ENCRYPT('1234')), 
+ DES_DECRYPT(DES_ENCRYPT('12345')), 
+ DES_DECRYPT(DES_ENCRYPT('123456')), 
+ DES_DECRYPT(DES_ENCRYPT('1234567'));
+
+DROP TABLE t1;
+
+--Echo End of 5.0 tests

=== modified file 'sql/item_strfunc.cc'
--- a/sql/item_strfunc.cc	2009-03-19 13:44:58 +0000
+++ b/sql/item_strfunc.cc	2009-04-13 13:47:53 +0000
@@ -475,15 +475,19 @@ String *Item_func_des_encrypt::val_str(S
 
   tail=  (8-(res_length) % 8);			// 1..8 marking extra length
   res_length+=tail;
+  tmp_arg.realloc(res_length);
+  tmp_arg.length(0);
+  tmp_arg.qs_append(res->ptr(), res->length());
   code= ER_OUT_OF_RESOURCES;
-  if (tail && res->append(append_str, tail) || tmp_value.alloc(res_length+1))
+  if (tail && tmp_arg.append(append_str, tail) || tmp_value.alloc(res_length+1))
     goto error;
-  (*res)[res_length-1]=tail;			// save extra length
+  tmp_arg[res_length-1]=tail;			// save extra length
+  tmp_value.realloc(res_length+1);
   tmp_value.length(res_length+1);
   tmp_value[0]=(char) (128 | key_number);
   // Real encryption
   bzero((char*) &ivec,sizeof(ivec));
-  DES_ede3_cbc_encrypt((const uchar*) (res->ptr()),
+  DES_ede3_cbc_encrypt((const uchar*) (tmp_arg.ptr()),
 		       (uchar*) (tmp_value.ptr()+1),
 		       res_length,
 		       &keyschedule.ks1,

=== modified file 'sql/item_strfunc.h'
--- a/sql/item_strfunc.h	2009-02-10 22:47:54 +0000
+++ b/sql/item_strfunc.h	2009-04-13 13:47:53 +0000
@@ -306,13 +306,17 @@ public:
 
 class Item_func_des_encrypt :public Item_str_func
 {
-  String tmp_value;
+  String tmp_value,tmp_arg;
 public:
   Item_func_des_encrypt(Item *a) :Item_str_func(a) {}
   Item_func_des_encrypt(Item *a, Item *b): Item_str_func(a,b) {}
   String *val_str(String *);
   void fix_length_and_dec()
-  { maybe_null=1; max_length = args[0]->max_length+8; }
+  {
+    maybe_null=1;
+    /* 9 = MAX ((8- (arg_len % 8)) + 1) */
+    max_length = args[0]->max_length + 9;
+  }
   const char *func_name() const { return "des_encrypt"; }
 };
 
@@ -323,7 +327,12 @@ public:
   Item_func_des_decrypt(Item *a) :Item_str_func(a) {}
   Item_func_des_decrypt(Item *a, Item *b): Item_str_func(a,b) {}
   String *val_str(String *);
-  void fix_length_and_dec() { maybe_null=1; max_length = args[0]->max_length; }
+  void fix_length_and_dec()
+  {
+    maybe_null=1;
+    /* 9 = MAX ((8- (arg_len % 8)) + 1) */
+    max_length = args[0]->max_length - 9;
+  }
   const char *func_name() const { return "des_decrypt"; }
 };
 

Attachment: [text/bzr-bundle] bzr/joro@sun.com-20090413134753-zx5ug2mwkfi0qswi.bundle
Thread
bzr commit into mysql-5.0-bugteam branch (joro:2724) Bug#35087Georgi Kodinov13 Apr
  • Re: bzr commit into mysql-5.0-bugteam branch (joro:2724) Bug#35087Davi Arnaut16 Apr
Re: bzr commit into mysql-5.0-bugteam branch (joro:2724) Bug#35087Davi Arnaut16 Apr