Commit 059797ed authored by Alexander Barkov's avatar Alexander Barkov

MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV...

MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing

strmake() puts one extra 0x00 byte at the end of the string.
The code in my_strnxfrm_tis620[_nopad] did not take this into
account, so in the reported scenario the 0x00 byte was put outside
of a stack variable, which made ASAN crash.

This problem is already fixed in in MySQL:

  commit 19bd66fe43c41f0bde5f36bc6b455a46693069fb
  Author: bin.x.su@oracle.com <>
  Date:   Fri Apr 4 11:35:27 2014 +0800

But the fix does not seem to be correct, as it breaks when finds a zero byte
in the source string.

Using memcpy() instead of strmake().

- Unlike strmake(), memcpy() it does not write beyond the destination
  size passed.
- Unlike the MySQL fix, memcpy() does not break on the first 0x00 byte found
  in the source string.
parent 42ae7659
...@@ -4421,5 +4421,14 @@ DROP TABLE t1; ...@@ -4421,5 +4421,14 @@ DROP TABLE t1;
# #
SET STORAGE_ENGINE=Default; SET STORAGE_ENGINE=Default;
# #
# MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing
#
SELECT HEX(WEIGHT_STRING(_tis620 'a\0b'));
HEX(WEIGHT_STRING(_tis620 'a\0b'))
610062
SELECT HEX(WEIGHT_STRING(_tis620 'a\0b' COLLATE tis620_thai_nopad_ci));
HEX(WEIGHT_STRING(_tis620 'a\0b' COLLATE tis620_thai_nopad_ci))
610062
#
# End of 10.2 tests # End of 10.2 tests
# #
SET STORAGE_ENGINE=InnoDB;
#
# Start of 10.2 tests
#
#
# MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing Export
#
CREATE TABLE t1(c TEXT CHARACTER SET tis620);
SHOW CREATE TABLE t1;
Table Create Table
t1 CREATE TABLE `t1` (
`c` text CHARACTER SET tis620 DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1
INSERT INTO t1 VALUES('100');
ALTER TABLE t1 ADD FULLTEXT INDEX(c), ALGORITHM=INPLACE;
Warnings:
Warning 124 InnoDB rebuilding table to add column FTS_DOC_ID
DROP TABLE t1;
CREATE TABLE t1(c TEXT CHARACTER SET tis620 COLLATE tis620_thai_nopad_ci);
SHOW CREATE TABLE t1;
Table Create Table
t1 CREATE TABLE `t1` (
`c` text CHARACTER SET tis620 COLLATE tis620_thai_nopad_ci DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1
INSERT INTO t1 VALUES('100');
ALTER TABLE t1 ADD FULLTEXT INDEX(c), ALGORITHM=INPLACE;
Warnings:
Warning 124 InnoDB rebuilding table to add column FTS_DOC_ID
DROP TABLE t1;
#
# End of 10.2 tests
#
--source include/have_innodb.inc
--source include/have_tis620.inc
SET STORAGE_ENGINE=InnoDB;
--echo #
--echo # Start of 10.2 tests
--echo #
--echo #
--echo # MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing Export
--echo #
CREATE TABLE t1(c TEXT CHARACTER SET tis620);
SHOW CREATE TABLE t1;
INSERT INTO t1 VALUES('100');
ALTER TABLE t1 ADD FULLTEXT INDEX(c), ALGORITHM=INPLACE;
DROP TABLE t1;
CREATE TABLE t1(c TEXT CHARACTER SET tis620 COLLATE tis620_thai_nopad_ci);
SHOW CREATE TABLE t1;
INSERT INTO t1 VALUES('100');
ALTER TABLE t1 ADD FULLTEXT INDEX(c), ALGORITHM=INPLACE;
DROP TABLE t1;
--echo #
--echo # End of 10.2 tests
--echo #
...@@ -209,6 +209,13 @@ let $coll='tis620_nopad_bin'; ...@@ -209,6 +209,13 @@ let $coll='tis620_nopad_bin';
let $coll_pad='tis620_bin'; let $coll_pad='tis620_bin';
--source include/ctype_pad_all_engines.inc --source include/ctype_pad_all_engines.inc
--echo #
--echo # MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing
--echo #
SELECT HEX(WEIGHT_STRING(_tis620 'a\0b'));
SELECT HEX(WEIGHT_STRING(_tis620 'a\0b' COLLATE tis620_thai_nopad_ci));
--echo # --echo #
--echo # End of 10.2 tests --echo # End of 10.2 tests
--echo # --echo #
...@@ -605,8 +605,8 @@ my_strnxfrm_tis620(CHARSET_INFO *cs, ...@@ -605,8 +605,8 @@ my_strnxfrm_tis620(CHARSET_INFO *cs,
const uchar *src, size_t srclen, uint flags) const uchar *src, size_t srclen, uint flags)
{ {
size_t len, dstlen0= dstlen; size_t len, dstlen0= dstlen;
len= (uint) (strmake((char*) dst, (char*) src, MY_MIN(dstlen, srclen)) - len= MY_MIN(dstlen, srclen);
(char*) dst); memcpy(dst, src, len);
len= thai2sortable(dst, len); len= thai2sortable(dst, len);
set_if_smaller(dstlen, nweights); set_if_smaller(dstlen, nweights);
set_if_smaller(len, dstlen); set_if_smaller(len, dstlen);
...@@ -628,8 +628,8 @@ my_strnxfrm_tis620_nopad(CHARSET_INFO *cs, ...@@ -628,8 +628,8 @@ my_strnxfrm_tis620_nopad(CHARSET_INFO *cs,
const uchar *src, size_t srclen, uint flags) const uchar *src, size_t srclen, uint flags)
{ {
size_t len, dstlen0= dstlen; size_t len, dstlen0= dstlen;
len= (uint) (strmake((char*) dst, (char*) src, MY_MIN(dstlen, srclen)) - len= MY_MIN(dstlen, srclen);
(char*) dst); memcpy(dst, src, len);
len= thai2sortable(dst, len); len= thai2sortable(dst, len);
set_if_smaller(dstlen, nweights); set_if_smaller(dstlen, nweights);
set_if_smaller(len, dstlen); set_if_smaller(len, dstlen);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment