Bug #55424: convert_tz crashes when fed invalid data

The CONVERT_TZ function crashes the server when the timezone argument is an empty SET field value. 1) The CONVERT_TZ may find a timezone string in the tz_names hash. 2) A string representation of the empty SET is a String of zero length with the NULL pointer. 3) If the key argument length is zero, hash functions do comparison using the length of the record being compared against. I.e. a zero-length String buffer is an invalid argument for hash search functions, and if String points to NULL buffer, hashcmp() fails with SEGV accessing that memory. The my_tz_find function has been modified to treat empty Strings as invalid timezone values to skip unnecessary hash search.
author: Gleb Shchepa <gshchepa@mysql.com> 2010-08-06 23:29:37 +0400
committer: Gleb Shchepa <gshchepa@mysql.com> 2010-08-06 23:29:37 +0400
commit: ed736379f5ba4e681088a139cefaebb50600a44a (patch)
tree: d65701a7fcebae2d6dac44d75863efaa849215c3 /sql/tztime.cc
parent: 6c0f9301ea434cce4fe2df0ad36c26694375b997 (diff)
download: mariadb-git-ed736379f5ba4e681088a139cefaebb50600a44a.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sql/tztime.cc b/sql/tztime.cc
index c7a4ad049ec..7ebb8eb392a 100644
--- a/sql/tztime.cc
+++ b/sql/tztime.cc
@@ -2259,7 +2259,7 @@ my_tz_find(THD *thd, const String *name)
   DBUG_PRINT("enter", ("time zone name='%s'",
                        name ? ((String *)name)->c_ptr_safe() : "NULL"));
 
-  if (!name)
+  if (!name || name->is_empty())
     DBUG_RETURN(0);
 
   VOID(pthread_mutex_lock(&tz_LOCK));
author	Gleb Shchepa <gshchepa@mysql.com>	2010-08-06 23:29:37 +0400
committer	Gleb Shchepa <gshchepa@mysql.com>	2010-08-06 23:29:37 +0400
commit	ed736379f5ba4e681088a139cefaebb50600a44a (patch)
tree	d65701a7fcebae2d6dac44d75863efaa849215c3 /sql/tztime.cc
parent	6c0f9301ea434cce4fe2df0ad36c26694375b997 (diff)
download	mariadb-git-ed736379f5ba4e681088a139cefaebb50600a44a.tar.gz