From d1e5808d7ed09b23a9b3b1720e43541efb66a08c Mon Sep 17 00:00:00 2001 From: "Tatiana A. Nurnberg" Date: Thu, 20 Nov 2008 15:39:39 +0100 Subject: Bug#39591: Crash if table comment is longer than 62 characters It was possible to crash a mysqld build with EXTRA_DEBUG using CREATE TABLE ... COMMENT with a specially-crafted UTF-8 string. This CS removes the check that caused it since it no longer applies in current servers anyway, and adds comments instead to avoid future confusion. --- sql/unireg.cc | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) (limited to 'sql/unireg.cc') diff --git a/sql/unireg.cc b/sql/unireg.cc index b581ad4655a..f20d3e8cc6b 100644 --- a/sql/unireg.cc +++ b/sql/unireg.cc @@ -143,6 +143,24 @@ bool mysql_create_frm(THD *thd, my_string file_name, (create_info->min_rows == 1) && (keys == 0)); int2store(fileinfo+28,key_info_length); + /* + This gives us the byte-position of the character at + (character-position, not byte-position) TABLE_COMMENT_MAXLEN. + The trick here is that character-positions start at 0, so the last + character in a maximum-allowed length string would be at char-pos + MAXLEN-1; charpos MAXLEN will be the position of the terminator. + Consequently, bytepos(charpos(MAXLEN)) should be equal to + comment[length] (which should also be the terminator, or at least + the first byte after the payload in the strict sense). If this is + not so (bytepos(charpos(MAXLEN)) comes /before/ the end of the + string), the string is too long. + + For additional credit, realise that UTF-8 has 1-3 bytes before 6.0, + and 1-4 bytes in 6.0 (6.0 also has UTF-32). This means that the + inlined COMMENT supposedly does not exceed 60 character plus + terminator, vulgo, 181 bytes. + */ + tmp_len= system_charset_info->cset->charpos(system_charset_info, create_info->comment.str, create_info->comment.str + @@ -165,14 +183,6 @@ bool mysql_create_frm(THD *thd, my_string file_name, strmake((char*) forminfo+47, create_info->comment.str ? create_info->comment.str : "", create_info->comment.length); forminfo[46]=(uchar) create_info->comment.length; -#ifdef EXTRA_DEBUG - /* - EXTRA_DEBUG causes strmake() to initialize its buffer behind the - payload with a magic value to detect wrong buffer-sizes. We - explicitly zero that segment again. - */ - memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]); -#endif if (my_pwrite(file,(byte*) fileinfo,64,0L,MYF_RW) || my_pwrite(file,(byte*) keybuff,key_info_length, (ulong) uint2korr(fileinfo+6),MYF_RW)) -- cgit v1.2.1