From 1b426d3c6dfcf488cf798ce59d0fda48d87a3ab7 Mon Sep 17 00:00:00 2001
From: "bar@mysql.com" <>
Date: Tue, 27 Mar 2007 12:20:20 +0500
Subject: [PATCH 1/2] Bug#27079 Crash while grouping empty ucs2 strings
 Problem: GROUP BY on empty ucs2 strings crashed server. Reason: sometimes
 mi_unique_hash() is executed with ptr=null and length=0, which means "empty
 string". The branch of code handling UCS2 character set was not safe against
 ptr=null and fell into and endless loop even if length=0 because of poiter
 arithmetic overflow. Fix: adding special check for length=0 to avoid pointer
 arithmetic overflow.

---
 mysql-test/r/ctype_uca.result |  9 +++++++++
 mysql-test/t/ctype_uca.test   | 10 ++++++++++
 strings/ctype-uca.c           | 34 +++++++++++++++++++++++++++-------
 3 files changed, 46 insertions(+), 7 deletions(-)

diff --git a/mysql-test/r/ctype_uca.result b/mysql-test/r/ctype_uca.result
index 3e286c77c00..1fd1493bf1e 100644
--- a/mysql-test/r/ctype_uca.result
+++ b/mysql-test/r/ctype_uca.result
@@ -2654,3 +2654,12 @@ ii	2	ii	2	İİ	4
 İİ	4	ii	2	İİ	4
 II	2	ıı	4	II	2
 DROP TABLE t1;
+CREATE TABLE t1 (
+c1 text character set ucs2 collate ucs2_polish_ci NOT NULL
+) ENGINE=MyISAM;
+insert into t1 values (''),('a');
+SELECT COUNT(*), c1 FROM t1 GROUP BY c1;
+COUNT(*)	c1
+1	
+1	a
+DROP TABLE IF EXISTS t1;
diff --git a/mysql-test/t/ctype_uca.test b/mysql-test/t/ctype_uca.test
index 3e49b9de883..64349bc40a6 100644
--- a/mysql-test/t/ctype_uca.test
+++ b/mysql-test/t/ctype_uca.test
@@ -475,3 +475,13 @@ ALTER TABLE t1 MODIFY a VARCHAR(30) character set utf8 collate utf8_turkish_ci;
 SELECT a, length(a) la, @l:=lower(a) l, length(@l) ll, @u:=upper(a) u, length(@u) lu
 FROM t1 ORDER BY id;
 DROP TABLE t1;
+
+#
+# Bug #27079 Crash while grouping empty ucs2 strings
+#
+CREATE TABLE t1 (
+ c1 text character set ucs2 collate ucs2_polish_ci NOT NULL
+) ENGINE=MyISAM;
+insert into t1 values (''),('a');
+SELECT COUNT(*), c1 FROM t1 GROUP BY c1;
+DROP TABLE IF EXISTS t1;
diff --git a/strings/ctype-uca.c b/strings/ctype-uca.c
index 1292d7f5ede..3aad36f858c 100644
--- a/strings/ctype-uca.c
+++ b/strings/ctype-uca.c
@@ -6744,7 +6744,7 @@ typedef struct my_uca_scanner_handler_st
   int (*next)(my_uca_scanner *scanner);
 } my_uca_scanner_handler;
 
-static uint16 nochar[]= {0};
+static uint16 nochar[]= {0,0};
 
 
 #ifdef HAVE_CHARSET_ucs2
@@ -6769,13 +6769,33 @@ static void my_uca_scanner_init_ucs2(my_uca_scanner *scanner,
                                      CHARSET_INFO *cs __attribute__((unused)),
                                      const uchar *str, uint length)
 {
-  /* Note, no needs to initialize scanner->wbeg */
-  scanner->sbeg= str;
-  scanner->send= str + length - 2;
   scanner->wbeg= nochar; 
-  scanner->uca_length= cs->sort_order;
-  scanner->uca_weight= cs->sort_order_big;
-  scanner->contractions= cs->contractions;
+  if (length)
+  {
+    scanner->sbeg= str;
+    scanner->send= str + length - 2;
+    scanner->uca_length= cs->sort_order;
+    scanner->uca_weight= cs->sort_order_big;
+    scanner->contractions= cs->contractions;
+  }
+  else
+  {
+    /*
+      Sometimes this function is called with
+      str=NULL and length=0, which should be
+      considered as an empty string.
+      
+      The above initialization is unsafe for such cases,
+      because scanner->send is initialized to (NULL-2), which is 0xFFFFFFFE.
+      Then we fall into an endless loop in my_uca_scanner_next_ucs2().
+      
+      Do special initialization for the case when length=0.
+      Initialize scanner->sbeg to an address greater than scanner->send.
+      Next call of my_uca_scanner_next_ucs2() will correctly return with -1.
+    */
+    scanner->sbeg= (uchar*) &nochar[1];
+    scanner->send= (uchar*) &nochar[0];
+  }
 }
 
 

From d5c66804431f4df36ae32154592ba8a952ed8a8e Mon Sep 17 00:00:00 2001
From: "bar@mysql.com" <>
Date: Thu, 29 Mar 2007 10:32:38 +0500
Subject: [PATCH 2/2] Code layout fix for bug N 27079 Thanks to Gluh for
 suggestion.

---
 strings/ctype-uca.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/strings/ctype-uca.c b/strings/ctype-uca.c
index 3aad36f858c..1263882846d 100644
--- a/strings/ctype-uca.c
+++ b/strings/ctype-uca.c
@@ -6777,25 +6777,24 @@ static void my_uca_scanner_init_ucs2(my_uca_scanner *scanner,
     scanner->uca_length= cs->sort_order;
     scanner->uca_weight= cs->sort_order_big;
     scanner->contractions= cs->contractions;
+    return;
   }
-  else
-  {
-    /*
-      Sometimes this function is called with
-      str=NULL and length=0, which should be
-      considered as an empty string.
+
+  /*
+    Sometimes this function is called with
+    str=NULL and length=0, which should be
+    considered as an empty string.
+    
+    The above initialization is unsafe for such cases,
+    because scanner->send is initialized to (NULL-2), which is 0xFFFFFFFE.
+    Then we fall into an endless loop in my_uca_scanner_next_ucs2().
       
-      The above initialization is unsafe for such cases,
-      because scanner->send is initialized to (NULL-2), which is 0xFFFFFFFE.
-      Then we fall into an endless loop in my_uca_scanner_next_ucs2().
-      
-      Do special initialization for the case when length=0.
-      Initialize scanner->sbeg to an address greater than scanner->send.
-      Next call of my_uca_scanner_next_ucs2() will correctly return with -1.
-    */
-    scanner->sbeg= (uchar*) &nochar[1];
-    scanner->send= (uchar*) &nochar[0];
-  }
+    Do special initialization for the case when length=0.
+    Initialize scanner->sbeg to an address greater than scanner->send.
+    Next call of my_uca_scanner_next_ucs2() will correctly return with -1.
+  */
+  scanner->sbeg= (uchar*) &nochar[1];
+  scanner->send= (uchar*) &nochar[0];
 }