diff options
| author | Davi Arnaut <Davi.Arnaut@Sun.COM> | 2009-08-07 23:32:01 -0300 |
|---|---|---|
| committer | Davi Arnaut <Davi.Arnaut@Sun.COM> | 2009-08-07 23:32:01 -0300 |
| commit | c7163c630a7ab5c9770c9ae07355acc531f110a1 (patch) | |
| tree | ffaa8e6fff678b5b86aabefb449700837770e903 /tests | |
| parent | a791f20089a6e5a0f89f93aa427b43c7ec920079 (diff) | |
| download | mariadb-git-c7163c630a7ab5c9770c9ae07355acc531f110a1.tar.gz | |
Bug#45010: invalid memory reads during parsing some strange statements
The problem is that the lexer could inadvertently skip over the
end of a query being parsed if it encountered a malformed multibyte
character. A specially crated query string could cause the lexer
to jump up to six bytes past the end of the query buffer. Another
problem was that the laxer could use unfiltered user input as
a signed array index for the parser maps (having upper and lower
bounds 0 and 256 respectively).
The solution is to ensure that the lexer only skips over well-formed
multibyte characters and that the index value of the parser maps
is always a unsigned value.
mysql-test/r/ctype_recoding.result:
Update test case result: ending backtick is not skipped over anymore.
sql/sql_lex.cc:
Characters being analyzed must be unsigned as they can be
used as indexes for the parser maps. Only skip over if the
string is a valid multi-byte sequence.
tests/mysql_client_test.c:
Add test case for Bug#45010
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/mysql_client_test.c | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 040ef4d050d..63137bdba93 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -16647,6 +16647,38 @@ static void test_bug41078(void) DBUG_VOID_RETURN; } + +/** + Bug#45010: invalid memory reads during parsing some strange statements +*/ + +static void test_bug45010() +{ + int rc; + const char query1[]= "select a.\x80", + query2[]= "describe `table\xef"; + + DBUG_ENTER("test_bug45010"); + myheader("test_bug45010"); + + rc= mysql_query(mysql, "set names utf8"); + myquery(rc); + + /* \x80 (-128) could be used as a index of ident_map. */ + rc= mysql_real_query(mysql, query1, sizeof(query1) - 1); + DIE_UNLESS(rc); + + /* \xef (-17) could be used to skip 3 bytes past the buffer end. */ + rc= mysql_real_query(mysql, query2, sizeof(query2) - 1); + DIE_UNLESS(rc); + + rc= mysql_query(mysql, "set names default"); + myquery(rc); + + DBUG_VOID_RETURN; +} + + /* Read and parse arguments and MySQL options from my.cnf */ @@ -16949,6 +16981,7 @@ static struct my_tests_st my_tests[]= { #endif { "test_bug41078", test_bug41078 }, { "test_bug20023", test_bug20023 }, + { "test_bug45010", test_bug45010 }, { 0, 0 } }; |