From 45a87c685b1378d3840df3e391134afb01dead6f Mon Sep 17 00:00:00 2001
From: Gleb Shchepa <gshchepa@mysql.com>
Date: Fri, 6 Aug 2010 23:29:37 +0400
Subject: Bug #55424: convert_tz crashes when fed invalid data

The CONVERT_TZ function crashes the server when the
timezone argument is an empty SET field value.

1) The CONVERT_TZ may find a timezone string in the
   tz_names hash.
2) A string representation of the empty SET is a
   String of zero length with the NULL pointer.
3) If the key argument length is zero, hash functions
   do comparison using the length of the record being
   compared against.

I.e. a zero-length String buffer is an invalid
argument for hash search functions, and if String
points to NULL buffer, hashcmp() fails with SEGV
accessing that memory.

The my_tz_find function has been modified to
treat empty Strings as invalid timezone values
to skip unnecessary hash search.


mysql-test/r/timezone2.result:
  Test case for bug #55424.
mysql-test/t/timezone2.test:
  Test case for bug #55424.
sql/sql_string.h:
  Bug #55424: convert_tz crashes when fed invalid data

  Added "const" modifier to String::is_empty().
sql/tztime.cc:
  Bug #55424: convert_tz crashes when fed invalid data

  The my_tz_find function has been modified to
  treat empty Strings as invalid timezone values
  to skip unnecessary hash search.
---
 sql/tztime.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sql/tztime.cc')

diff --git a/sql/tztime.cc b/sql/tztime.cc
index c7a4ad049ec..7ebb8eb392a 100644
--- a/sql/tztime.cc
+++ b/sql/tztime.cc
@@ -2259,7 +2259,7 @@ my_tz_find(THD *thd, const String *name)
   DBUG_PRINT("enter", ("time zone name='%s'",
                        name ? ((String *)name)->c_ptr_safe() : "NULL"));
 
-  if (!name)
+  if (!name || name->is_empty())
     DBUG_RETURN(0);
 
   VOID(pthread_mutex_lock(&tz_LOCK));
-- 
cgit v1.2.1