Fix for BUG#2703

"MySQL server does not detect if garbage chars at the end of query": Detect garbage chars at the end of the query or at the end of a query for a prepared statement (which happens if mysql_real_query() or mysql_prepare() were called with a too big 'length' parameter (bigger than the real intended length of the query: then we receive a query + garbage characters from the client). This resulted in garbage chars written into the binlog. Now instead the client receives something like: 'You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '!stmt' at line 1' i.e. the server is pointing at the weird tail of the query (this '!stmt' are the garbage chars sent by the client). All tests pass, except mysqldump.test and ctype_utf8.test but they failed before the patch. sql/sql_parse.cc: Detect garbage chars at the end of the query (which happens if mysql_real_query() was called with a too big 'length' parameter (bigger than the real intended length of the query: then we receive a query + garbage characters from the client). sql/sql_prepare.cc: Detect garbage chars at the end of the query (which happens if mysql_prepare() was called with a too big 'length' parameter (bigger than the real intended length of the query: then we receive a query + garbage characters from the client). tests/client_test.c: The change to sql_parse.cc and sql_prepare.cc rightfully gives many syntax errors to tests/client_test.c which is full of mysql_prepare(mysql, "SHOW TABLES", 100). Correcting all these commands.

Fix for BUG#2703
"MySQL server does not detect if garbage chars at the end of query": Detect garbage chars at the end of the query or at the end of a query for a prepared statement (which happens if mysql_real_query() or mysql_prepare() were called with a too big 'length' parameter (bigger than the real intended length of the query: then we receive a query + garbage characters from the client). This resulted in garbage chars written into the binlog. Now instead the client receives something like: 'You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '!stmt' at line 1' i.e. the server is pointing at the weird tail of the query (this '!stmt' are the garbage chars sent by the client). All tests pass, except mysqldump.test and ctype_utf8.test but they failed before the patch. sql/sql_parse.cc: Detect garbage chars at the end of the query (which happens if mysql_real_query() was called with a too big 'length' parameter (bigger than the real intended length of the query: then we receive a query + garbage characters from the client). sql/sql_prepare.cc: Detect garbage chars at the end of the query (which happens if mysql_prepare() was called with a too big 'length' parameter (bigger than the real intended length of the query: then we receive a query + garbage characters from the client). tests/client_test.c: The change to sql_parse.cc and sql_prepare.cc rightfully gives many syntax errors to tests/client_test.c which is full of mysql_prepare(mysql, "SHOW TABLES", 100). Correcting all these commands.
0aa48dc5 · unknown · 6b86e0eb · 0aa48dc5 · 0aa48dc5 · 0aa48dc5
Commit 0aa48dc5 authored Feb 11, 2004 by unknown
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 203 additions and 142 deletions

sql/sql_parse.cc sql/sql_parse.cc +17 -1

sql/sql_prepare.cc sql/sql_prepare.cc +9 -1

tests/client_test.c tests/client_test.c +177 -140

No files found.
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -3845,7 +3845,23 @@ mysql_parse(THD *thd, char *inBuf, uint length)
  if (query_cache_send_result_to_client(thd, inBuf, length) <= 0)
  {
    LEX *lex=lex_start(thd, (uchar*) inBuf, length);
-    if (!yyparse((void *)thd) && ! thd->is_fatal_error)
+    if (!yyparse((void *)thd) && ! thd->is_fatal_error &&
+        /*
+          If this is not a multiple query, ensure that it has been
+          successfully parsed until the last character. This is to prevent
+          against a wrong (too big) length passed to mysql_real_query(),
+          mysql_prepare()... which can generate garbage characters at the
+          end. If the query was initially multiple, found_colon will be false
+          only when we are in the last query; this last query had already
+          been end-spaces-stripped by alloc_query() in dispatch_command(); as
+          end spaces are the only thing we accept at the end of a query, and
+          they have been stripped already, here we can require that nothing
+          remains after parsing.
+        */
+        (thd->lex->found_colon ||
+         (char*)(thd->lex->ptr) == (thd->query+thd->query_length+1) ||
+         /* yyerror() will show the garbage chars to the user */
+         (yyerror("syntax error"), 0)))
    {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
      if (mqh_used && thd->user_connect &&

--- a/sql/sql_prepare.cc
+++ b/sql/sql_prepare.cc
@@ -909,7 +909,15 @@ bool mysql_stmt_prepare(THD *thd, char *packet, uint packet_length)
  lex->safe_to_cache_query= 0;
  lex->param_count= 0;
-  if (yyparse((void *)thd) || thd->is_fatal_error || send_prepare_results(stmt))
+  if (yyparse((void *)thd) || thd->is_fatal_error ||
+      /*
+        Check for wrong (too big) length passed to mysql_prepare() resulting in
+        garbage at the end of the query. There is a similar check in mysql_parse().
+      */
+      (!thd->lex->found_colon && 
+       (char*)(thd->lex->ptr) != (thd->query+thd->query_length+1) &&
+       /* yyerror() will show the garbage chars to the user */
+       (yyerror("syntax error"), 1)) || send_prepare_results(stmt))
    goto yyparse_err;
  lex_end(lex);

--- a/tests/client_test.c
+++ b/tests/client_test.c