Fixed bug #28522:

sometimes `mysqldump --hex-blob' overruned output buffer by '\0' byte. The dump_table() function has been fixed to reserve 1 byte more for the last '\0' byte of dumped string.

Fixed bug #28522:
sometimes `mysqldump --hex-blob' overruned output buffer by '\0' byte. The dump_table() function has been fixed to reserve 1 byte more for the last '\0' byte of dumped string.
2ee30b0b · gshchepa/uchum@gleb.loc · 55906317 · 2ee30b0b · 2ee30b0b · 2ee30b0b
Commit 2ee30b0b authored May 25, 2007 by gshchepa/uchum@gleb.loc
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 2 deletions

client/mysqldump.c client/mysqldump.c +5 -2

mysql-test/r/mysqldump.result mysql-test/r/mysqldump.result +11 -0

mysql-test/t/mysqldump.test mysql-test/t/mysqldump.test +7 -0

No files found.
--- a/client/mysqldump.c
+++ b/client/mysqldump.c
@@ -2529,15 +2529,18 @@ static void dump_table(char *table, char *db)
                  plus 2 bytes for '0x' prefix.
                  - In non-HEX mode we need up to 2 bytes per character,
                  plus 2 bytes for leading and trailing '\'' characters.
+                  Also we need to reserve 1 byte for terminating '\0'.
                */
-                dynstr_realloc_checked(&extended_row,length * 2+2);
+                dynstr_realloc_checked(&extended_row,length * 2 + 2 + 1);
                if (opt_hex_blob && is_blob)
                {
                  dynstr_append_checked(&extended_row, "0x");
                  extended_row.length+= mysql_hex_string(extended_row.str +
                                                         extended_row.length,
                                                         row[i], length);
-                  extended_row.str[extended_row.length]= '\0';
+                  DBUG_ASSERT(extended_row.length+1 <= extended_row.max_length);
+                  /* mysql_hex_string() already terminated string by '\0' */
+                  DBUG_ASSERT(extended_row.str[extended_row.length] == '\0');
                }
                else
                {

--- a/mysql-test/r/mysqldump.result
+++ b/mysql-test/r/mysqldump.result
@@ -3310,5 +3310,16 @@ drop user user1;
 drop user user2;
 drop database mysqldump_test_db;
 #
+# Bug #28522: buffer overrun by '\0' byte using --hex-blob.
+#
+CREATE TABLE t1 (c1 INT, c2 LONGBLOB);
+INSERT INTO t1 SET c1=11, c2=REPEAT('q',509);
+CREATE TABLE `t1` (
+  `c1` int(11) default NULL,
+  `c2` longblob
+);
+INSERT INTO `t1` VALUES (11,0x7171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171);
+DROP TABLE t1;
+#
 # End of 5.0 tests
 #
--- a/mysql-test/t/mysqldump.test
+++ b/mysql-test/t/mysqldump.test
@@ -1528,7 +1528,14 @@ drop user user2;

 drop database mysqldump_test_db;

+--echo #
+--echo # Bug #28522: buffer overrun by '\0' byte using --hex-blob.
+--echo #

+CREATE TABLE t1 (c1 INT, c2 LONGBLOB);
+INSERT INTO t1 SET c1=11, c2=REPEAT('q',509);
+--exec $MYSQL_DUMP --skip-create --compact --hex-blob test t1
+DROP TABLE t1;

 --echo #
 --echo # End of 5.0 tests