From 0b00c1a22f7861e6a5be5041a915ccafceb0669c Mon Sep 17 00:00:00 2001 From: Eugene Kosov Date: Mon, 23 Mar 2020 02:08:01 +0300 Subject: [PATCH] MDEV-22005 UBSAN: applying non-zero offset 2 to null pointer in my_charpos_mb() Empty comment has a correct length. --- sql/sql_string.h | 6 +++++- sql/sql_table.cc | 10 +++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/sql/sql_string.h b/sql/sql_string.h index e1d64722898..63404587404 100644 --- a/sql/sql_string.h +++ b/sql/sql_string.h @@ -3,7 +3,7 @@ /* Copyright (c) 2000, 2013, Oracle and/or its affiliates. - Copyright (c) 2008, 2017, MariaDB Corporation. + Copyright (c) 2008, 2020, MariaDB Corporation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -79,6 +79,10 @@ public: Well_formed_prefix(CHARSET_INFO *cs, const char *str, size_t length) :Well_formed_prefix_status(cs, str, str + length, length), m_str(str) { } + Well_formed_prefix(CHARSET_INFO *cs, LEX_STRING str, size_t nchars) + :Well_formed_prefix_status(cs, str.str, str.str + str.length, nchars), + m_str(str.str) + { } size_t length() const { return m_source_end_pos - m_str; } }; diff --git a/sql/sql_table.cc b/sql/sql_table.cc index 878c09286b5..1845aec5ce2 100644 --- a/sql/sql_table.cc +++ b/sql/sql_table.cc @@ -1,6 +1,6 @@ /* Copyright (c) 2000, 2019, Oracle and/or its affiliates. - Copyright (c) 2010, 2019, MariaDB + Copyright (c) 2010, 2020, MariaDB This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -4286,8 +4286,12 @@ bool validate_comment_length(THD *thd, LEX_STRING *comment, size_t max_len, uint err_code, const char *name) { DBUG_ENTER("validate_comment_length"); - uint tmp_len= my_charpos(system_charset_info, comment->str, - comment->str + comment->length, max_len); + + if (comment->length == 0) + DBUG_RETURN(false); + + size_t tmp_len= + Well_formed_prefix(system_charset_info, *comment, max_len).length(); if (tmp_len < comment->length) { if (thd->is_strict_mode())