database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-27 18:02:13 +03:00
Code Activity

Bug#39591: Crash if table comment is longer than 62 characters

Browse Source 
It was possible to crash a mysqld build with EXTRA_DEBUG using
CREATE TABLE ... COMMENT with a specially-crafted UTF-8 string.

This CS removes the check that caused it since it no longer
applies in current servers anyway, and adds comments instead
to avoid future confusion.
This commit is contained in:
Tatiana A. Nurnberg
2008-11-20 15:39:39 +01:00
parent 0001121ccb
commit d1e5808d7e
3 changed files with 34 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
sql/unireg.cc
View File

@ -143,6 +143,24 @@ bool mysql_create_frm(THD *thd, my_string file_name,
(create_info->min_rows == 1) && (keys == 0));
int2store(fileinfo+28,key_info_length);
/*
This gives us the byte-position of the character at
(character-position, not byte-position) TABLE_COMMENT_MAXLEN.
The trick here is that character-positions start at 0, so the last
character in a maximum-allowed length string would be at char-pos
MAXLEN-1; charpos MAXLEN will be the position of the terminator.
Consequently, bytepos(charpos(MAXLEN)) should be equal to
comment[length] (which should also be the terminator, or at least
the first byte after the payload in the strict sense). If this is
not so (bytepos(charpos(MAXLEN)) comes /before/ the end of the
string), the string is too long.
For additional credit, realise that UTF-8 has 1-3 bytes before 6.0,
and 1-4 bytes in 6.0 (6.0 also has UTF-32). This means that the
inlined COMMENT supposedly does not exceed 60 character plus
terminator, vulgo, 181 bytes.
*/
tmp_len= system_charset_info->cset->charpos(system_charset_info,
create_info->comment.str,
create_info->comment.str +
@ -165,14 +183,6 @@ bool mysql_create_frm(THD *thd, my_string file_name,
strmake((char*) forminfo+47, create_info->comment.str ?
create_info->comment.str : "", create_info->comment.length);
forminfo[46]=(uchar) create_info->comment.length;
#ifdef EXTRA_DEBUG
/*
EXTRA_DEBUG causes strmake() to initialize its buffer behind the
payload with a magic value to detect wrong buffer-sizes. We
explicitly zero that segment again.
*/
memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]);
#endif
if (my_pwrite(file,(byte*) fileinfo,64,0L,MYF_RW) ||
my_pwrite(file,(byte*) keybuff,key_info_length,
(ulong) uint2korr(fileinfo+6),MYF_RW))