diff options
| author | Norio Akagi <redtree.dev1112@gmail.com> | 2022-07-06 09:23:09 +0000 |
|---|---|---|
| committer | Nayuta Yanagisawa <nayuta.yanagisawa@hey.com> | 2022-08-01 14:41:17 +0900 |
| commit | bb3300d60774b10a5b8a84d2c6baf60d10f41e42 (patch) | |
| tree | f20ddd024491488b5794b989394b43f8c2a0129a | |
| parent | a6f7c8edc9b8c394662e06df7421eb6215ced0d3 (diff) | |
| download | mariadb-git-bb3300d60774b10a5b8a84d2c6baf60d10f41e42.tar.gz | |
MDEV-28315 Fix ASAN stack-buffer-overflow in String::copy_alignedbb-10.6-MDEV-28315
Starting since this commit 36cdd5c there is an ASAN
stack-buffer-overflow error because we append a NULL terminator
beyond the length of memory allocated.
| -rw-r--r-- | mysql-test/main/strings.result | 10 | ||||
| -rw-r--r-- | mysql-test/main/strings.test | 12 | ||||
| -rw-r--r-- | sql/sql_string.cc | 2 | ||||
| -rw-r--r-- | sql/sql_string.h | 2 |
4 files changed, 24 insertions, 2 deletions
diff --git a/mysql-test/main/strings.result b/mysql-test/main/strings.result index 2d0eb5e7400..6573e734422 100644 --- a/mysql-test/main/strings.result +++ b/mysql-test/main/strings.result @@ -18,3 +18,13 @@ LENGTH(CONCAT_WS(d, ' ')) 1 1 DROP TABLE t1; +# +# MDEV-28315 ASAN stack-buffer-overflow in String::copy_aligned +# +CREATE TABLE t1 (a VARBINARY(128)) CHARACTER SET utf32; +INSERT INTO t1 VALUES ('South Carolina, Vermont, New Jersey, New Mexico, Wisconsin, Missouri, Delaware'); +CREATE TABLE t2 (b SET('South Carolina', 'Vermont', 'Texas', 'New Mexico', 'Wisconsin', 'Missouri', 'Delaware', 'Wyoming', 'New Jersey', 'Maryland', 'Illinois', 'New York')) CHARACTER SET utf32; +INSERT INTO t2 SELECT * FROM t1; +ERROR 01000: Data truncated for column 'b' at row 1 +DROP TABLE t1; +DROP TABLE t2; diff --git a/mysql-test/main/strings.test b/mysql-test/main/strings.test index 083ab7b07a4..3f3f4b572af 100644 --- a/mysql-test/main/strings.test +++ b/mysql-test/main/strings.test @@ -24,3 +24,15 @@ CREATE TABLE t1 (d DATE); INSERT INTO t1 VALUES ('1920-03-02'),('2020-12-01'); SELECT LENGTH(CONCAT_WS(d, ' ')) FROM t1; DROP TABLE t1; + +--echo # +--echo # MDEV-28315 ASAN stack-buffer-overflow in String::copy_aligned +--echo # + +CREATE TABLE t1 (a VARBINARY(128)) CHARACTER SET utf32; +INSERT INTO t1 VALUES ('South Carolina, Vermont, New Jersey, New Mexico, Wisconsin, Missouri, Delaware'); +CREATE TABLE t2 (b SET('South Carolina', 'Vermont', 'Texas', 'New Mexico', 'Wisconsin', 'Missouri', 'Delaware', 'Wyoming', 'New Jersey', 'Maryland', 'Illinois', 'New York')) CHARACTER SET utf32; +--error WARN_DATA_TRUNCATED +INSERT INTO t2 SELECT * FROM t1; +DROP TABLE t1; +DROP TABLE t2; diff --git a/sql/sql_string.cc b/sql/sql_string.cc index 991b65ef4b2..90693f407fb 100644 --- a/sql/sql_string.cc +++ b/sql/sql_string.cc @@ -398,7 +398,7 @@ bool String::copy_aligned(const char *str, size_t arg_length, size_t offset, DBUG_ASSERT(offset && offset != cs->mbminlen); size_t aligned_length= arg_length + offset; - if (alloc(aligned_length)) + if (alloc(aligned_length+1)) return TRUE; /* diff --git a/sql/sql_string.h b/sql/sql_string.h index fe57c8153bb..b398d4437ee 100644 --- a/sql/sql_string.h +++ b/sql/sql_string.h @@ -690,7 +690,7 @@ public: Note that if arg_length == Alloced_length then we don't allocate. This ensures we don't do any extra allocations in protocol and String:int, - but the string will not be atomically null terminated if c_ptr() is not + but the string will not be automatically null terminated if c_ptr() is not called. */ if (arg_length <= Alloced_length && Alloced_length) |