diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2021-04-26 16:52:32 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2021-04-27 18:21:01 +0200 |
| commit | 4f63b6cf53ce2d9eaf4a8006587ebf3c4d6ddd3c (patch) | |
| tree | 53beca4046a7083dbb70360da2c03a8b6ece9fe6 | |
| parent | 883b723d7cc38c04f48395c1cf5512900c7c2705 (diff) | |
| download | mariadb-git-4f63b6cf53ce2d9eaf4a8006587ebf3c4d6ddd3c.tar.gz | |
Bug #31674599: THE UDF_INIT() FUNCTION CAUSE SERVER CRASH
| -rw-r--r-- | mysql-test/r/udf.result | 8 | ||||
| -rw-r--r-- | mysql-test/t/udf.test | 10 | ||||
| -rw-r--r-- | sql/sql_udf.cc | 6 |
3 files changed, 21 insertions, 3 deletions
diff --git a/mysql-test/r/udf.result b/mysql-test/r/udf.result index 49768f6c514..367fc187ed2 100644 --- a/mysql-test/r/udf.result +++ b/mysql-test/r/udf.result @@ -492,4 +492,12 @@ select * from mysql.plugin WHERE name='unexisting_udf'; name dl DROP FUNCTION unexisting_udf; ERROR 42000: FUNCTION test.unexisting_udf does not exist +# +# Bug #31674599: THE UDF_INIT() FUNCTION CAUSE SERVER CRASH +# +call mtr.add_suppression('Invalid row in mysql.func table'); +insert mysql.func () values (); +delete from mysql.func where name = ''; +# # End of 10.2 tests +# diff --git a/mysql-test/t/udf.test b/mysql-test/t/udf.test index 07c7f599db7..199c0737dd1 100644 --- a/mysql-test/t/udf.test +++ b/mysql-test/t/udf.test @@ -562,4 +562,14 @@ select * from mysql.plugin WHERE name='unexisting_udf'; --error ER_SP_DOES_NOT_EXIST DROP FUNCTION unexisting_udf; +--echo # +--echo # Bug #31674599: THE UDF_INIT() FUNCTION CAUSE SERVER CRASH +--echo # +call mtr.add_suppression('Invalid row in mysql.func table'); +insert mysql.func () values (); +source include/restart_mysqld.inc; +delete from mysql.func where name = ''; + +--echo # --echo # End of 10.2 tests +--echo # diff --git a/sql/sql_udf.cc b/sql/sql_udf.cc index 2af12d94228..c026ef6b7ba 100644 --- a/sql/sql_udf.cc +++ b/sql/sql_udf.cc @@ -196,7 +196,7 @@ void udf_init() DBUG_PRINT("info",("init udf record")); LEX_STRING name; name.str=get_field(&mem, table->field[0]); - name.length = (uint) strlen(name.str); + name.length = (uint) safe_strlen(name.str); char *dl_name= get_field(&mem, table->field[2]); bool new_dl=0; Item_udftype udftype=UDFTYPE_FUNCTION; @@ -210,12 +210,12 @@ void udf_init() On windows we must check both FN_LIBCHAR and '/'. */ - if (check_valid_path(dl_name, strlen(dl_name)) || + if (!name.str || !dl_name || check_valid_path(dl_name, strlen(dl_name)) || check_string_char_length(&name, 0, NAME_CHAR_LEN, system_charset_info, 1)) { sql_print_error("Invalid row in mysql.func table for function '%.64s'", - name.str); + safe_str(name.str)); continue; } |