From bab4ff1ae52762e5eeb828d89cc7cd3b6e94f3aa Mon Sep 17 00:00:00 2001 From: Davi Arnaut Date: Mon, 9 Feb 2009 16:17:58 -0200 Subject: [PATCH] Bug#42634: % character in query can cause mysqld signal 11 segfault The problem is that a unfiltered user query was being passed as the format string parameter of sql_print_warning which later performs printf-like formatting, leading to crashes if the user query contains formatting instructions (ie: %s). Also, it was using THD::query as the source of the user query, but this variable is not meaningful in some situations -- in a delayed insert, it points to the table name. The solution is to pass the user query as a parameter for the format string and use the function parameter query_arg as the source of the user query. mysql-test/suite/binlog/r/binlog_unsafe.result: Add test case result for Bug#42634 mysql-test/suite/binlog/t/binlog_unsafe.test: Add test case for Bug#42634 sql/sql_class.cc: Don't pass the user query as a format string. --- mysql-test/suite/binlog/r/binlog_unsafe.result | 7 +++++++ mysql-test/suite/binlog/t/binlog_unsafe.test | 14 ++++++++++++++ sql/sql_class.cc | 8 +++----- 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/mysql-test/suite/binlog/r/binlog_unsafe.result b/mysql-test/suite/binlog/r/binlog_unsafe.result index 1f7b217dc31..7c0980ba77c 100644 --- a/mysql-test/suite/binlog/r/binlog_unsafe.result +++ b/mysql-test/suite/binlog/r/binlog_unsafe.result @@ -220,3 +220,10 @@ Warning 1592 Statement is not safe to log in statement format. Warning 1592 Statement is not safe to log in statement format. DROP PROCEDURE p1; DROP TABLE t1; +DROP TABLE IF EXISTS t1; +CREATE TABLE t1 (a VARCHAR(100), b VARCHAR(100)); +INSERT INTO t1 VALUES ('a','b'); +UPDATE t1 SET b = '%s%s%s%s%s%s%s%s%s%s%s%s%s%s' WHERE a = 'a' LIMIT 1; +Warnings: +Warning 1592 Statement is not safe to log in statement format. +DROP TABLE t1; diff --git a/mysql-test/suite/binlog/t/binlog_unsafe.test b/mysql-test/suite/binlog/t/binlog_unsafe.test index 0d7059bc31f..f58233d4fef 100644 --- a/mysql-test/suite/binlog/t/binlog_unsafe.test +++ b/mysql-test/suite/binlog/t/binlog_unsafe.test @@ -257,3 +257,17 @@ delimiter ;| CALL p1(); DROP PROCEDURE p1; DROP TABLE t1; + +# +# Bug#42634: % character in query can cause mysqld signal 11 segfault +# + +--disable_warnings +DROP TABLE IF EXISTS t1; +--enable_warnings + +CREATE TABLE t1 (a VARCHAR(100), b VARCHAR(100)); +INSERT INTO t1 VALUES ('a','b'); +UPDATE t1 SET b = '%s%s%s%s%s%s%s%s%s%s%s%s%s%s' WHERE a = 'a' LIMIT 1; +DROP TABLE t1; + diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 06f1c644be0..118dc5af68f 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -3660,16 +3660,14 @@ int THD::binlog_query(THD::enum_binlog_query_type qtype, char const *query_arg, if (lex->is_stmt_unsafe() && variables.binlog_format == BINLOG_FORMAT_STMT) { - DBUG_ASSERT(this->query != NULL); push_warning(this, MYSQL_ERROR::WARN_LEVEL_WARN, ER_BINLOG_UNSAFE_STATEMENT, ER(ER_BINLOG_UNSAFE_STATEMENT)); if (!(binlog_flags & BINLOG_FLAG_UNSAFE_STMT_PRINTED)) { - char warn_buf[MYSQL_ERRMSG_SIZE]; - my_snprintf(warn_buf, MYSQL_ERRMSG_SIZE, "%s Statement: %s", - ER(ER_BINLOG_UNSAFE_STATEMENT), this->query); - sql_print_warning(warn_buf); + sql_print_warning("%s Statement: %.*s", + ER(ER_BINLOG_UNSAFE_STATEMENT), + MYSQL_ERRMSG_SIZE, query_arg); binlog_flags|= BINLOG_FLAG_UNSAFE_STMT_PRINTED; } }