MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name...

MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow Adding the test for the length of lex->name into show_create_db(). Without this test writes beyond the end of db_name_buff were possible upon a too long database name.

MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name...
MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow Adding the test for the length of lex->name into show_create_db(). Without this test writes beyond the end of db_name_buff were possible upon a too long database name.
21f56583 · Alexander Barkov · bf0aa99a · 21f56583 · 21f56583 · 21f56583
Commit 21f56583 authored Jun 10, 2024 by Alexander Barkov
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 0 deletions

mysql-test/main/create.result mysql-test/main/create.result +7 -0

mysql-test/main/create.test mysql-test/main/create.test +9 -0

sql/sql_parse.cc sql/sql_parse.cc +17 -0

No files found.
--- a/mysql-test/main/create.result
+++ b/mysql-test/main/create.result
@@ -2061,4 +2061,11 @@ DROP TABLE t1;
 #
 CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible);
 drop table t1;
+#
+# MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow
+#
+SET NAMES utf8mb3;
+SHOW CREATE DATABASE `#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭`;
+ERROR 42000: Incorrect database name '#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭...'
+SET NAMES DEFAULT;
 # End of 10.5 Test
--- a/mysql-test/main/create.test
+++ b/mysql-test/main/create.test
@@ -1935,4 +1935,13 @@ DROP TABLE t1;
 CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible);
 drop table t1;

+--echo #
+--echo # MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow
+--echo #
+
+SET NAMES utf8mb3;
+--error ER_WRONG_DB_NAME
+SHOW CREATE DATABASE `#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭`;
+SET NAMES DEFAULT;
+
 --echo # End of 10.5 Test
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -6637,6 +6637,23 @@ show_create_db(THD *thd, LEX *lex)
  DBUG_EXECUTE_IF("4x_server_emul",
                  my_error(ER_UNKNOWN_ERROR, MYF(0)); return 1;);

+#if MYSQL_VERSION_ID<=110301
+  /*
+    This piece of the code was added in 10.5 to fix MDEV-32376.
+    It should not get to 11.3 or higer, as MDEV-32376 was fixed
+    in a different way in 11.3.1 (see MDEV-31948).
+  */
+  if (lex->name.length > sizeof(db_name_buff) - 1)
+  {
+    my_error(ER_WRONG_DB_NAME, MYF(0),
+             ErrConvString(lex->name.str, lex->name.length,
+                           system_charset_info).ptr());
+    return 1;
+  }
+#else
+#error Remove this preprocessor-conditional code in 11.3.1+
+#endif
+
  db_name.str= db_name_buff;
  db_name.length= lex->name.length;
  strmov(db_name_buff, lex->name.str);