From 0b62b7f26d2bef58983f7c7e8b288dd9bce0cdcc Mon Sep 17 00:00:00 2001 From: Alexey Kopytov Date: Wed, 20 May 2009 12:30:06 +0400 Subject: Bug #44796: valgrind: too many my_longlong10_to_str_8bit warnings after uncompressed_length UNCOMPRESSED_LENGTH() did not validate its argument. In particular, if the argument length was less than 4 bytes, an uninitialized memory value was returned as a result. Since the result of COMPRESS() is either an empty string or a 4-byte length prefix followed by compressed data, the bug was fixed by ensuring that the argument of UNCOMPRESSED_LENGTH() is either an empty string or contains at least 5 bytes (as done in UNCOMPRESS()). This is the best we can do to validate input without decompressing. mysql-test/r/func_compress.result: Added a test case for bug #44796. mysql-test/t/func_compress.test: Added a test case for bug #44796. sql/item_strfunc.cc: Make sure that the argument of UNCOMPRESSED_LENGTH() contains at least 5 bytes (as done in UNCOMPRESS()). --- sql/item_strfunc.cc | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'sql/item_strfunc.cc') diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index bc2dcb9c61b..4941f427731 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -3108,7 +3108,21 @@ longlong Item_func_uncompressed_length::val_int() if (res->is_empty()) return 0; /* - res->ptr() using is safe because we have tested that string is not empty, + If length is <= 4 bytes, data is corrupt. This is the best we can do + to detect garbage input without decompressing it. + */ + if (res->length() <= 4) + { + push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_ERROR, + ER_ZLIB_Z_DATA_ERROR, + ER(ER_ZLIB_Z_DATA_ERROR)); + null_value= 1; + return 0; + } + + /* + res->ptr() using is safe because we have tested that string is at least + 5 bytes long. res->c_ptr() is not used because: - we do not need \0 terminated string to get first 4 bytes - c_ptr() tests simbol after string end (uninitialiozed memory) which -- cgit v1.2.1