Bug #28934: server crash when receiving malformed com_execute packets

Sometimes a parameter slot may not get a value because of the protocol data being plain wrong. Such cases should be detected and handled by returning an error. Fixed by checking data stream constraints where possible (like maximum length) and reacting to the case where a value cannot be constructed.
2025-07-29 05:21:33 +03:00 · 2007-06-12 11:02:34 +03:00
parent c25c178112
commit b9876c6e9c
2 changed files with 93 additions and 0 deletions
--- a/tests/mysql_client_test.c
+++ b/tests/mysql_client_test.c
@ -15686,6 +15686,88 @@ end:
 }


+/*
+  Bug#28934: server crash when receiving malformed com_execute packets
+*/
+
+static void test_bug28934()
+{
+  MYSQL *l_mysql;
+  my_bool error= 0;
+  my_ulonglong res;
+  MYSQL_BIND bind[5];
+  MYSQL_STMT *stmt;
+  int cnt;
+
+  if (!(l_mysql= mysql_init(NULL)))
+  {
+    myerror("mysql_init() failed");
+    DIE_UNLESS(1);
+  }
+  if (!(mysql_real_connect(l_mysql, opt_host, opt_user,
+                           opt_password, current_db, opt_port,
+                           opt_unix_socket, CLIENT_FOUND_ROWS)))
+  {
+    myerror("connection failed");
+    error= 1;
+    goto end;
+  }
+  l_mysql->reconnect= 1;
+  if (mysql_query(l_mysql, "drop table if exists t1"))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+  if (mysql_query(l_mysql, "create table t1(id int)"))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+  if (mysql_query(l_mysql, "insert into t1 values(1),(2),(3),(4),(5)"))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+  if (!(stmt= mysql_simple_prepare(l_mysql,
+                                   "select * from t1 where id in(?,?,?,?,?)")))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+
+  memset (&bind, 0, sizeof (bind));
+  for (cnt= 0; cnt < 5; cnt++)
+  {
+    bind[cnt].buffer_type= MYSQL_TYPE_LONG;
+    bind[cnt].buffer= (char*)&cnt;
+    bind[cnt].buffer_length= 0;
+  }
+  if(mysql_stmt_bind_param(stmt, bind))
+  {
+    myerror(NULL);
+    error= 1;
+    goto end;
+  }
+  stmt->param_count=2;
+  error= mysql_stmt_execute(stmt);
+  DIE_UNLESS (error != 0);
+  myerror(NULL);
+  error= 0;
+  if (mysql_query(l_mysql, "drop table t1"))
+  {
+    myerror(NULL);
+    error= 1;
+  }
+end:
+  mysql_close(l_mysql);
+  DIE_UNLESS(error == 0);
+}
+
+
 /*
  Read and parse arguments and MySQL options from my.cnf
 */
@ -15968,6 +16050,7 @@ static struct my_tests_st my_tests[]= {
  { "test_bug24179", test_bug24179 },
  { "test_bug27876", test_bug27876 },
  { "test_bug28505", test_bug28505 },
+  { "test_bug28934", test_bug28934 },
  { 0, 0 }
 };