From 5a2a6c2c0dacd3509cacf89cae22c9657f19a7c7 Mon Sep 17 00:00:00 2001 From: Ramil Kalimullin Date: Tue, 12 Oct 2010 23:25:40 +0400 Subject: [PATCH 1/2] Fix for bug#57272: crash in rpad() when using utf8 Problem: if multibyte and binary string arguments passed to RPAD(), LPAD() or INSERT() functions, they might return wrong results or even lead to a server crash due to missed character set convertion. Fix: perform the convertion if necessary. --- mysql-test/r/ctype_utf8.result | 31 +++++++++++++++++++++++++ mysql-test/t/ctype_utf8.test | 20 ++++++++++++++++ sql/item_strfunc.cc | 42 ++++++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+) diff --git a/mysql-test/r/ctype_utf8.result b/mysql-test/r/ctype_utf8.result index 4c21e66a39c..b491ce504bf 100644 --- a/mysql-test/r/ctype_utf8.result +++ b/mysql-test/r/ctype_utf8.result @@ -1898,3 +1898,34 @@ CONVERT(a, CHAR) CONVERT(b, CHAR) 70000 1092 DROP TABLE t1; End of 5.0 tests +SELECT LENGTH(RPAD(0.0115E88, 61297, _utf8'яэюя')); +LENGTH(RPAD(0.0115E88, 61297, _utf8'яэюя')) +61297 +SELECT LENGTH(RPAD(0.0115E88, 61297, _utf8'йцуя')); +LENGTH(RPAD(0.0115E88, 61297, _utf8'йцуя')) +61297 +SELECT HEX(RPAD(0x20, 2, _utf8 0xD18F)); +HEX(RPAD(0x20, 2, _utf8 0xD18F)) +20D1 +SELECT HEX(RPAD(0x20, 4, _utf8 0xD18F)); +HEX(RPAD(0x20, 4, _utf8 0xD18F)) +20D18FD1 +SELECT HEX(LPAD(0x20, 2, _utf8 0xD18F)); +HEX(LPAD(0x20, 2, _utf8 0xD18F)) +D120 +SELECT HEX(LPAD(0x20, 4, _utf8 0xD18F)); +HEX(LPAD(0x20, 4, _utf8 0xD18F)) +D18FD120 +SELECT HEX(RPAD(_utf8 0xD18F, 3, 0x20)); +HEX(RPAD(_utf8 0xD18F, 3, 0x20)) +D18F20 +SELECT HEX(LPAD(_utf8 0xD18F, 3, 0x20)); +HEX(LPAD(_utf8 0xD18F, 3, 0x20)) +20D18F +SELECT HEX(INSERT(_utf8 0xD18F, 2, 1, 0x20)); +HEX(INSERT(_utf8 0xD18F, 2, 1, 0x20)) +D120 +SELECT HEX(INSERT(_utf8 0xD18FD18E, 2, 1, 0x20)); +HEX(INSERT(_utf8 0xD18FD18E, 2, 1, 0x20)) +D120D18E +End of 5.1 tests diff --git a/mysql-test/t/ctype_utf8.test b/mysql-test/t/ctype_utf8.test index 23c83310886..8e9f09d1e56 100644 --- a/mysql-test/t/ctype_utf8.test +++ b/mysql-test/t/ctype_utf8.test @@ -1466,3 +1466,23 @@ SELECT CONVERT(a, CHAR), CONVERT(b, CHAR) from t1 GROUP BY b; DROP TABLE t1; --echo End of 5.0 tests + + +# +# Bug #57272: crash in rpad() when using utf8 +# +SELECT LENGTH(RPAD(0.0115E88, 61297, _utf8'яэюя')); +SELECT LENGTH(RPAD(0.0115E88, 61297, _utf8'йцуя')); +SELECT HEX(RPAD(0x20, 2, _utf8 0xD18F)); +SELECT HEX(RPAD(0x20, 4, _utf8 0xD18F)); +SELECT HEX(LPAD(0x20, 2, _utf8 0xD18F)); +SELECT HEX(LPAD(0x20, 4, _utf8 0xD18F)); + +SELECT HEX(RPAD(_utf8 0xD18F, 3, 0x20)); +SELECT HEX(LPAD(_utf8 0xD18F, 3, 0x20)); + +SELECT HEX(INSERT(_utf8 0xD18F, 2, 1, 0x20)); +SELECT HEX(INSERT(_utf8 0xD18FD18E, 2, 1, 0x20)); + + +--echo End of 5.1 tests diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index 5d56b0a621a..9f06a4b5c9f 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -1013,6 +1013,20 @@ String *Item_func_insert::val_str(String *str) if ((length < 0) || (length > res->length())) length= res->length(); + /* + There is one exception not handled (intentionaly) by the character set + aggregation code. If one string is strong side and is binary, and + another one is weak side and is a multi-byte character string, + then we need to operate on the second string in terms on bytes when + calling ::numchars() and ::charpos(), rather than in terms of characters. + Lets substitute its character set to binary. + */ + if (collation.collation == &my_charset_bin) + { + res->set_charset(&my_charset_bin); + res2->set_charset(&my_charset_bin); + } + /* start and length are now sufficiently valid to pass to charpos function */ start= res->charpos((int) start); length= res->charpos((int) length, (uint32) start); @@ -2514,6 +2528,20 @@ String *Item_func_rpad::val_str(String *str) /* Set here so that rest of code sees out-of-bound value as such. */ if ((ulonglong) count > INT_MAX32) count= INT_MAX32; + /* + There is one exception not handled (intentionaly) by the character set + aggregation code. If one string is strong side and is binary, and + another one is weak side and is a multi-byte character string, + then we need to operate on the second string in terms on bytes when + calling ::numchars() and ::charpos(), rather than in terms of characters. + Lets substitute its character set to binary. + */ + if (collation.collation == &my_charset_bin) + { + res->set_charset(&my_charset_bin); + rpad->set_charset(&my_charset_bin); + } + if (count <= (res_char_length= res->numchars())) { // String to pad is big enough res->length(res->charpos((int) count)); // Shorten result if longer @@ -2616,6 +2644,20 @@ String *Item_func_lpad::val_str(String *str) if ((ulonglong) count > INT_MAX32) count= INT_MAX32; + /* + There is one exception not handled (intentionaly) by the character set + aggregation code. If one string is strong side and is binary, and + another one is weak side and is a multi-byte character string, + then we need to operate on the second string in terms on bytes when + calling ::numchars() and ::charpos(), rather than in terms of characters. + Lets substitute its character set to binary. + */ + if (collation.collation == &my_charset_bin) + { + res->set_charset(&my_charset_bin); + pad->set_charset(&my_charset_bin); + } + res_char_length= res->numchars(); if (count <= res_char_length) From 9ef7eac2c0a27cbacbd5c1499119f7c4b58a48fe Mon Sep 17 00:00:00 2001 From: Ramil Kalimullin Date: Tue, 12 Oct 2010 23:28:03 +0400 Subject: [PATCH 2/2] Fix for bug#57283: inet_ntoa() crashes Problem: some call of INET_NTOA() function may lead to a crash due to missing its character set initialization. Fix: explicitly set the character set. --- mysql-test/r/func_misc.result | 6 ++++++ mysql-test/t/func_misc.test | 8 ++++++++ sql/item_strfunc.cc | 1 + 3 files changed, 15 insertions(+) diff --git a/mysql-test/r/func_misc.result b/mysql-test/r/func_misc.result index eee56ae7461..082b6eb50c2 100644 --- a/mysql-test/r/func_misc.result +++ b/mysql-test/r/func_misc.result @@ -351,4 +351,10 @@ GREATEST(a, (SELECT b FROM t1 LIMIT 1)) 3 1 DROP TABLE t1; +SELECT INET_NTOA(0); +INET_NTOA(0) +0.0.0.0 +SELECT '1' IN ('1', INET_NTOA(0)); +'1' IN ('1', INET_NTOA(0)) +1 End of tests diff --git a/mysql-test/t/func_misc.test b/mysql-test/t/func_misc.test index c6b5ffd5a3f..f47418fa773 100644 --- a/mysql-test/t/func_misc.test +++ b/mysql-test/t/func_misc.test @@ -479,4 +479,12 @@ SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; DROP TABLE t1; + +# +# Bug #57283: inet_ntoa() crashes +# +SELECT INET_NTOA(0); +SELECT '1' IN ('1', INET_NTOA(0)); + + --echo End of tests diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index 9f06a4b5c9f..8fda281bd9e 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -3135,6 +3135,7 @@ String* Item_func_inet_ntoa::val_str(String* str) if ((null_value= (args[0]->null_value || n > (ulonglong) LL(4294967295)))) return 0; // Null value + str->set_charset(collation.collation); str->length(0); int4store(buf,n);