1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MDEV-28315 Fix ASAN stack-buffer-overflow in String::copy_aligned

Browse Source 
Starting since this commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75
there is an ASAN stack-buffer-overflow error because we append a NULL
terminator beyond the length of memory allocated.

Reviewed by: Monty and Nayuta Yanagisawa
This commit is contained in:
Norio Akagi 2022-08-01 04:27:33 -07:00 committed by GitHub
parent 63478e72de
commit 84d26f98c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
mysql-test/main/strings.result
View File

@ -18,3 +18,13 @@ LENGTH(CONCAT_WS(d, ' '))
1 1
1 1
DROP TABLE t1; DROP TABLE t1;
#
# MDEV-28315 ASAN stack-buffer-overflow in String::copy_aligned
#
CREATE TABLE t1 (a VARBINARY(128)) CHARACTER SET utf32;
INSERT INTO t1 VALUES ('South Carolina, Vermont, New Jersey, New Mexico, Wisconsin, Missouri, Delaware');
CREATE TABLE t2 (b SET('South Carolina', 'Vermont', 'Texas', 'New Mexico', 'Wisconsin', 'Missouri', 'Delaware', 'Wyoming', 'New Jersey', 'Maryland', 'Illinois', 'New York')) CHARACTER SET utf32;
INSERT INTO t2 SELECT * FROM t1;
ERROR 01000: Data truncated for column 'b' at row 1
DROP TABLE t1;
DROP TABLE t2;

12
mysql-test/main/strings.test
View File

@ -24,3 +24,15 @@ CREATE TABLE t1 (d DATE);
INSERT INTO t1 VALUES ('1920-03-02'),('2020-12-01'); INSERT INTO t1 VALUES ('1920-03-02'),('2020-12-01');
SELECT LENGTH(CONCAT_WS(d, ' ')) FROM t1; SELECT LENGTH(CONCAT_WS(d, ' ')) FROM t1;
DROP TABLE t1; DROP TABLE t1;
--echo #
--echo # MDEV-28315 ASAN stack-buffer-overflow in String::copy_aligned
--echo #
CREATE TABLE t1 (a VARBINARY(128)) CHARACTER SET utf32;
INSERT INTO t1 VALUES ('South Carolina, Vermont, New Jersey, New Mexico, Wisconsin, Missouri, Delaware');
CREATE TABLE t2 (b SET('South Carolina', 'Vermont', 'Texas', 'New Mexico', 'Wisconsin', 'Missouri', 'Delaware', 'Wyoming', 'New Jersey', 'Maryland', 'Illinois', 'New York')) CHARACTER SET utf32;
--error WARN_DATA_TRUNCATED
INSERT INTO t2 SELECT * FROM t1;
DROP TABLE t1;
DROP TABLE t2;

2
sql/sql_string.cc
View File

@ -398,7 +398,7 @@ bool String::copy_aligned(const char *str, size_t arg_length, size_t offset,
DBUG_ASSERT(offset && offset != cs->mbminlen); DBUG_ASSERT(offset && offset != cs->mbminlen);
size_t aligned_length= arg_length + offset; size_t aligned_length= arg_length + offset;
if (alloc(aligned_length)) if (alloc(aligned_length+1))
return TRUE; return TRUE;
/* /*

2
sql/sql_string.h
View File

@ -690,7 +690,7 @@ public:
Note that if arg_length == Alloced_length then we don't allocate. Note that if arg_length == Alloced_length then we don't allocate.
This ensures we don't do any extra allocations in protocol and String:int, This ensures we don't do any extra allocations in protocol and String:int,
but the string will not be atomically null terminated if c_ptr() is not but the string will not be automatically null terminated if c_ptr() is not
called. called.
*/ */
if (arg_length <= Alloced_length && Alloced_length) if (arg_length <= Alloced_length && Alloced_length)