Commit f940c2ca authored by Michael Widenius's avatar Michael Widenius

Fixed a memory overrun in dynamic columns when sending in a mailformed (too...

Fixed a memory overrun in dynamic columns when sending in a mailformed (too short in this case) string.

mysql-test/t/dyncol.test:
  Added test case for mailformed string usage
mysys/ma_dyncol.c:
  Added test for wrong dynamic string data
parent 8d52c2cf
...@@ -1228,3 +1228,9 @@ NULL NULL ...@@ -1228,3 +1228,9 @@ NULL NULL
0002000100030200230861626308636465 2 0002000100030200230861626308636465 2
SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1; SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1;
DROP TABLE t1; DROP TABLE t1;
#
# Some dynamic strings that caused crashes in the past
#
set @a=0x
select column_add(@a, 3, "a");
ERROR HY000: Encountered illegal format of dynamic column string
...@@ -498,3 +498,11 @@ SELECT HEX(COLUMN_ADD(f1, 1, 'abc')), COLUMN_LIST(f1) FROM t1; ...@@ -498,3 +498,11 @@ SELECT HEX(COLUMN_ADD(f1, 1, 'abc')), COLUMN_LIST(f1) FROM t1;
SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1; SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1;
--enable_result_log --enable_result_log
DROP TABLE t1; DROP TABLE t1;
--echo #
--echo # Some dynamic strings that caused crashes in the past
--echo #
set @a=0x
--error ER_DYN_COL_WRONG_FORMAT
select column_add(@a, 3, "a");
...@@ -1963,6 +1963,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str, ...@@ -1963,6 +1963,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
type_and_offset_read(&tp, &offs, read, offset_size); type_and_offset_read(&tp, &offs, read, offset_size);
if (k == start) if (k == start)
first_offset= offs; first_offset= offs;
else if (offs < first_offset)
{
dynamic_column_column_free(&tmp);
rc= ER_DYNCOL_FORMAT;
goto end;
}
offs+= plan[i].ddelta; offs+= plan[i].ddelta;
int2store(write, nm); int2store(write, nm);
/* write rest of data at write + COLUMN_NUMBER_SIZE */ /* write rest of data at write + COLUMN_NUMBER_SIZE */
...@@ -1979,7 +1986,8 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str, ...@@ -1979,7 +1986,8 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
get_length_interval(header_base + start * entry_size, get_length_interval(header_base + start * entry_size,
header_base + end * entry_size, header_base + end * entry_size,
header_end, offset_size, max_offset); header_end, offset_size, max_offset);
if ((long) data_size < 0) if ((long) data_size < 0 ||
data_size > max_offset - first_offset)
{ {
dynamic_column_column_free(&tmp); dynamic_column_column_free(&tmp);
rc= ER_DYNCOL_FORMAT; rc= ER_DYNCOL_FORMAT;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment