Commit f940c2ca authored by Michael Widenius's avatar Michael Widenius

Fixed a memory overrun in dynamic columns when sending in a mailformed (too...

Fixed a memory overrun in dynamic columns when sending in a mailformed (too short in this case) string.

mysql-test/t/dyncol.test:
  Added test case for mailformed string usage
mysys/ma_dyncol.c:
  Added test for wrong dynamic string data
parent 8d52c2cf
...@@ -1228,3 +1228,9 @@ NULL NULL ...@@ -1228,3 +1228,9 @@ NULL NULL
0002000100030200230861626308636465 2 0002000100030200230861626308636465 2
SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1; SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1;
DROP TABLE t1; DROP TABLE t1;
#
# Some dynamic strings that caused crashes in the past
#
set @a=0x0102000200030004000F0D086B74697A6A7176746F6B687563726A746E7A746A666163726C6F7A6B62636B6B756B666779666977617369796F67756C726D62677A72756E63626D78636D7077706A6F736C6D636464696770786B6371637A6A6A6463737A6A676879716462637178646C666E6B6C726A637677696E7271746C616D646368687A6C707869786D666F666261797470616A63797673737A796D74747475666B717573687A79696E7276706F796A6E767361796A6F6D646F6378677A667074746363736A796D67746C786F697873686464616265616A7A6F7168707A6B776B6376737A6B72666C6F666C69636163686F6B666D627166786A71616F;
select column_add(@a, 3, "a");
ERROR HY000: Encountered illegal format of dynamic column string
...@@ -498,3 +498,11 @@ SELECT HEX(COLUMN_ADD(f1, 1, 'abc')), COLUMN_LIST(f1) FROM t1; ...@@ -498,3 +498,11 @@ SELECT HEX(COLUMN_ADD(f1, 1, 'abc')), COLUMN_LIST(f1) FROM t1;
SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1; SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1;
--enable_result_log --enable_result_log
DROP TABLE t1; DROP TABLE t1;
--echo #
--echo # Some dynamic strings that caused crashes in the past
--echo #
set @a=0x0102000200030004000F0D086B74697A6A7176746F6B687563726A746E7A746A666163726C6F7A6B62636B6B756B666779666977617369796F67756C726D62677A72756E63626D78636D7077706A6F736C6D636464696770786B6371637A6A6A6463737A6A676879716462637178646C666E6B6C726A637677696E7271746C616D646368687A6C707869786D666F666261797470616A63797673737A796D74747475666B717573687A79696E7276706F796A6E767361796A6F6D646F6378677A667074746363736A796D67746C786F697873686464616265616A7A6F7168707A6B776B6376737A6B72666C6F666C69636163686F6B666D627166786A71616F;
--error ER_DYN_COL_WRONG_FORMAT
select column_add(@a, 3, "a");
...@@ -1963,6 +1963,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str, ...@@ -1963,6 +1963,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
type_and_offset_read(&tp, &offs, read, offset_size); type_and_offset_read(&tp, &offs, read, offset_size);
if (k == start) if (k == start)
first_offset= offs; first_offset= offs;
else if (offs < first_offset)
{
dynamic_column_column_free(&tmp);
rc= ER_DYNCOL_FORMAT;
goto end;
}
offs+= plan[i].ddelta; offs+= plan[i].ddelta;
int2store(write, nm); int2store(write, nm);
/* write rest of data at write + COLUMN_NUMBER_SIZE */ /* write rest of data at write + COLUMN_NUMBER_SIZE */
...@@ -1979,7 +1986,8 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str, ...@@ -1979,7 +1986,8 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
get_length_interval(header_base + start * entry_size, get_length_interval(header_base + start * entry_size,
header_base + end * entry_size, header_base + end * entry_size,
header_end, offset_size, max_offset); header_end, offset_size, max_offset);
if ((long) data_size < 0) if ((long) data_size < 0 ||
data_size > max_offset - first_offset)
{ {
dynamic_column_column_free(&tmp); dynamic_column_column_free(&tmp);
rc= ER_DYNCOL_FORMAT; rc= ER_DYNCOL_FORMAT;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment