Commit 69fbbdc1 authored by Davi Arnaut's avatar Davi Arnaut

Bug#45010: invalid memory reads during parsing some strange statements

The problem is that the lexer could inadvertently skip over the
end of a query being parsed if it encountered a malformed multibyte
character. A specially crated query string could cause the lexer
to jump up to six bytes past the end of the query buffer. Another
problem was that the laxer could use unfiltered user input as
a signed array index for the parser maps (having upper and lower
bounds 0 and 256 respectively).

The solution is to ensure that the lexer only skips over well-formed
multibyte characters and that the index value of the parser maps
is always a unsigned value.
parent 1c07007f
...@@ -165,7 +165,7 @@ CREATE TABLE `good ...@@ -165,7 +165,7 @@ CREATE TABLE `good
ERROR HY000: Invalid utf8 character string: '' ERROR HY000: Invalid utf8 character string: ''
SET NAMES utf8; SET NAMES utf8;
CREATE TABLE `good` (a int); CREATE TABLE `good` (a int);
ERROR HY000: Invalid utf8 character string: '` (a int)' ERROR HY000: Invalid utf8 character string: ''
set names latin1; set names latin1;
create table t1 (a char(10) character set koi8r, b text character set koi8r); create table t1 (a char(10) character set koi8r, b text character set koi8r);
insert into t1 values ('test','test'); insert into t1 values ('test','test');
......
...@@ -32,10 +32,10 @@ sys_var_long_ptr trg_new_row_fake_var(0, 0); ...@@ -32,10 +32,10 @@ sys_var_long_ptr trg_new_row_fake_var(0, 0);
/* Macros to look like lex */ /* Macros to look like lex */
#define yyGet() *(lip->ptr++) #define yyGet() ((uchar)*(lip->ptr++))
#define yyGetLast() lip->ptr[-1] #define yyGetLast() ((uchar)lip->ptr[-1])
#define yyPeek() lip->ptr[0] #define yyPeek() ((uchar)lip->ptr[0])
#define yyPeek2() lip->ptr[1] #define yyPeek2() ((uchar)lip->ptr[1])
#define yyUnget() lip->ptr-- #define yyUnget() lip->ptr--
#define yySkip() lip->ptr++ #define yySkip() lip->ptr++
#define yyLength() ((uint) (lip->ptr - lip->tok_start)-1) #define yyLength() ((uint) (lip->ptr - lip->tok_start)-1)
...@@ -813,9 +813,11 @@ int MYSQLlex(void *arg, void *yythd) ...@@ -813,9 +813,11 @@ int MYSQLlex(void *arg, void *yythd)
} }
} }
#ifdef USE_MB #ifdef USE_MB
else if (var_length < 1) else if (use_mb(cs))
break; // Error {
lip->ptr+= var_length-1; if ((var_length= my_ismbchar(cs, lip->ptr-1, lip->end_of_query)))
lip->ptr+= var_length-1;
}
#endif #endif
} }
if (double_quotes) if (double_quotes)
......
...@@ -16647,6 +16647,38 @@ static void test_bug41078(void) ...@@ -16647,6 +16647,38 @@ static void test_bug41078(void)
DBUG_VOID_RETURN; DBUG_VOID_RETURN;
} }
/**
Bug#45010: invalid memory reads during parsing some strange statements
*/
static void test_bug45010()
{
int rc;
const char query1[]= "select a.\x80",
query2[]= "describe `table\xef";
DBUG_ENTER("test_bug45010");
myheader("test_bug45010");
rc= mysql_query(mysql, "set names utf8");
myquery(rc);
/* \x80 (-128) could be used as a index of ident_map. */
rc= mysql_real_query(mysql, query1, sizeof(query1) - 1);
DIE_UNLESS(rc);
/* \xef (-17) could be used to skip 3 bytes past the buffer end. */
rc= mysql_real_query(mysql, query2, sizeof(query2) - 1);
DIE_UNLESS(rc);
rc= mysql_query(mysql, "set names default");
myquery(rc);
DBUG_VOID_RETURN;
}
/* /*
Read and parse arguments and MySQL options from my.cnf Read and parse arguments and MySQL options from my.cnf
*/ */
...@@ -16949,6 +16981,7 @@ static struct my_tests_st my_tests[]= { ...@@ -16949,6 +16981,7 @@ static struct my_tests_st my_tests[]= {
#endif #endif
{ "test_bug41078", test_bug41078 }, { "test_bug41078", test_bug41078 },
{ "test_bug20023", test_bug20023 }, { "test_bug20023", test_bug20023 },
{ "test_bug45010", test_bug45010 },
{ 0, 0 } { 0, 0 }
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment