Fix for BUG#2703

"MySQL server does not detect if garbage chars at the end of query":

Detect garbage chars at the end of the query or at the end of a query
for a prepared statement (which happens if mysql_real_query() or mysql_prepare()
were called with a too big 'length' parameter (bigger than the real intended
length of the query: then we receive a query + garbage characters from the
client). This resulted in garbage chars written into the binlog.
Now instead the client receives something like:
'You have an error in your SQL syntax.  Check the manual that corresponds
to your MySQL server version for the right syntax to use near '!stmt'
at line 1' i.e. the server is pointing at the weird tail of the query
(this '!stmt' are the garbage chars sent by the client).
All tests pass, except mysqldump.test and ctype_utf8.test but they failed
before the patch.


sql/sql_parse.cc:
  Detect garbage chars at the end of the query
  (which happens if mysql_real_query() was called with a too big 'length'
  parameter (bigger than the real intended length of the query: then
  we receive a query + garbage characters from the client).
sql/sql_prepare.cc:
  Detect garbage chars at the end of the query
  (which happens if mysql_prepare() was called with a too big 'length'
  parameter (bigger than the real intended length of the query: then
  we receive a query + garbage characters from the client).
tests/client_test.c:
  The change to sql_parse.cc and sql_prepare.cc rightfully gives many
  syntax errors to tests/client_test.c which is full of
  mysql_prepare(mysql, "SHOW TABLES", 100).
  Correcting all these commands.

2 files changed, 26 insertions, 2 deletions

diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 42ea6039b6c..80aa575265b 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -3845,7 +3845,23 @@ mysql_parse(THD *thd, char *inBuf, uint length)
   if (query_cache_send_result_to_client(thd, inBuf, length) <= 0)
   {
     LEX *lex=lex_start(thd, (uchar*) inBuf, length);
-    if (!yyparse((void *)thd) && ! thd->is_fatal_error)
+    if (!yyparse((void *)thd) && ! thd->is_fatal_error &&
+        /*
+          If this is not a multiple query, ensure that it has been
+          successfully parsed until the last character. This is to prevent
+          against a wrong (too big) length passed to mysql_real_query(),
+          mysql_prepare()... which can generate garbage characters at the
+          end. If the query was initially multiple, found_colon will be false
+          only when we are in the last query; this last query had already
+          been end-spaces-stripped by alloc_query() in dispatch_command(); as
+          end spaces are the only thing we accept at the end of a query, and
+          they have been stripped already, here we can require that nothing
+          remains after parsing.
+        */
+        (thd->lex->found_colon ||
+         (char*)(thd->lex->ptr) == (thd->query+thd->query_length+1) ||
+         /* yyerror() will show the garbage chars to the user */
+         (yyerror("syntax error"), 0)))
     {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
       if (mqh_used && thd->user_connect &&
diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
index 2cf0000d973..cf723e18d85 100644
--- a/sql/sql_prepare.cc
+++ b/sql/sql_prepare.cc
@@ -909,7 +909,15 @@ bool mysql_stmt_prepare(THD *thd, char *packet, uint packet_length)
   lex->safe_to_cache_query= 0;
   lex->param_count= 0;
 
-  if (yyparse((void *)thd) || thd->is_fatal_error || send_prepare_results(stmt))
+  if (yyparse((void *)thd) || thd->is_fatal_error ||
+      /*
+        Check for wrong (too big) length passed to mysql_prepare() resulting in
+        garbage at the end of the query. There is a similar check in mysql_parse().
+      */
+      (!thd->lex->found_colon && 
+       (char*)(thd->lex->ptr) != (thd->query+thd->query_length+1) &&
+       /* yyerror() will show the garbage chars to the user */
+       (yyerror("syntax error"), 1)) || send_prepare_results(stmt))
     goto yyparse_err;
 
   lex_end(lex);