Bug #55424: convert_tz crashes when fed invalid data

The CONVERT_TZ function crashes the server when the timezone argument is an empty SET field value. 1) The CONVERT_TZ may find a timezone string in the tz_names hash. 2) A string representation of the empty SET is a String of zero length with the NULL pointer. 3) If the key argument length is zero, hash functions do comparison using the length of the record being compared against. I.e. a zero-length String buffer is an invalid argument for hash search functions, and if String points to NULL buffer, hashcmp() fails with SEGV accessing that memory. The my_tz_find function has been modified to treat empty Strings as invalid timezone values to skip unnecessary hash search. mysql-test/r/timezone2.result: Test case for bug #55424. mysql-test/t/timezone2.test: Test case for bug #55424. sql/sql_string.h: Bug #55424: convert_tz crashes when fed invalid data Added "const" modifier to String::is_empty(). sql/tztime.cc: Bug #55424: convert_tz crashes when fed invalid data The my_tz_find function has been modified to treat empty Strings as invalid timezone values to skip unnecessary hash search.
2025-07-27 18:02:13 +03:00 · 2010-08-06 23:29:37 +04:00
parent 09eb23d50b
commit 45a87c685b
4 changed files with 23 additions and 2 deletions
--- a/sql/sql_string.h
+++ b/sql/sql_string.h
@ -97,7 +97,7 @@ public:
  inline uint32 alloced_length() const { return Alloced_length;}
  inline char& operator [] (uint32 i) const { return Ptr[i]; }
  inline void length(uint32 len) { str_length=len ; }
-  inline bool is_empty() { return (str_length == 0); }
+  inline bool is_empty() const { return (str_length == 0); }
  inline void mark_as_const() { Alloced_length= 0;}
  inline const char *ptr() const { return Ptr; }
  inline char *c_ptr()