database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow

Browse Source 
Adding the test for the length of lex->name into show_create_db().

Without this test writes beyond the end of db_name_buff were possible
upon a too long database name.
This commit is contained in:
Alexander Barkov
2024-06-10 09:31:14 +04:00
parent bf0aa99aeb
commit 21f56583bf
3 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
mysql-test/main/create.result
View File

@ -2061,4 +2061,11 @@ DROP TABLE t1;
# #
CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible); CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible);
drop table t1; drop table t1;
#
# MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow
#
SET NAMES utf8mb3;
SHOW CREATE DATABASE `#testone#■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■`;
ERROR 42000: Incorrect database name '#testone#■■■■■■■■■■■■■■■■■■■■■■■■■■■■■...'
SET NAMES DEFAULT;
# End of 10.5 Test # End of 10.5 Test

9
mysql-test/main/create.test
View File

@ -1935,4 +1935,13 @@ DROP TABLE t1;
CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible); CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible);
drop table t1; drop table t1;
--echo #
--echo # MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow
--echo #
SET NAMES utf8mb3;
--error ER_WRONG_DB_NAME
SHOW CREATE DATABASE `#testone#■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■`;
SET NAMES DEFAULT;
--echo # End of 10.5 Test --echo # End of 10.5 Test

17
sql/sql_parse.cc
View File

@ -6637,6 +6637,23 @@ show_create_db(THD *thd, LEX *lex)
DBUG_EXECUTE_IF("4x_server_emul", DBUG_EXECUTE_IF("4x_server_emul",
my_error(ER_UNKNOWN_ERROR, MYF(0)); return 1;); my_error(ER_UNKNOWN_ERROR, MYF(0)); return 1;);
#if MYSQL_VERSION_ID<=110301
/*
This piece of the code was added in 10.5 to fix MDEV-32376.
It should not get to 11.3 or higer, as MDEV-32376 was fixed
in a different way in 11.3.1 (see MDEV-31948).
*/
if (lex->name.length > sizeof(db_name_buff) - 1)
{
my_error(ER_WRONG_DB_NAME, MYF(0),
ErrConvString(lex->name.str, lex->name.length,
system_charset_info).ptr());
return 1;
}
#else
#error Remove this preprocessor-conditional code in 11.3.1+
#endif
db_name.str= db_name_buff; db_name.str= db_name_buff;
db_name.length= lex->name.length; db_name.length= lex->name.length;
strmov(db_name_buff, lex->name.str); strmov(db_name_buff, lex->name.str);