diff options
author | Alexander Barkov <bar@mariadb.com> | 2020-08-04 09:49:44 +0400 |
---|---|---|
committer | Alexander Barkov <bar@mariadb.com> | 2020-08-04 09:49:44 +0400 |
commit | d4967659032b18a5504198b41dd3d0a1813d79ef (patch) | |
tree | f22108a6726433b43a5f4a6ce3642d0785d2f059 /sql/sql_cache.h | |
parent | b3e9798ff3fe4dcdda841dc72bd5d9a26db9eaa1 (diff) | |
download | mariadb-git-d4967659032b18a5504198b41dd3d0a1813d79ef.tar.gz |
MDEV-22022 Various mangled SQL statements will crash 10.3 to 10.5 debug builds
Lex_input_stream::scan_ident_delimited() could go beyond the end
of the input when a starting backtick (`) delimiter did not have a
corresponding ending backtick.
Fix: catch the case when yyGet() returns 0, which means
either eof-of-query or straight 0x00 byte inside backticks,
and make the parser fail on syntax error, displaying the left
backtick as the syntax error place.
In case of filename in a script like this:
SET CHARACTER_SET_CLIENT=17; -- 17 is 'filename'
SELECT doc.`Children`.0 FROM t1;
the ending backtick was not recognized as such because my_charlen() returns 0 for
a straight backtick (backticks must normally be encoded as @0060 in filename).
The same fix works for 'filename': the execution skips the backtick
and reaches the end of the query, then yyGet() returns 0.
This fix is OK for now. But eventually 'filename' should either be disallowed
as a parser character set, or fixed to handle encoded punctuation properly.
Diffstat (limited to 'sql/sql_cache.h')
0 files changed, 0 insertions, 0 deletions