MySQL Bugs: #31070: crash during conversion of charsets

Bug #31070	crash during conversion of charsets
Submitted:	17 Sep 2007 22:10	Modified:	23 Oct 2007 0:07
Reporter:	Shane Bester (Platinum Quality Contributor)	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: Charsets	Severity:	S2 (Serious)
Version:	5.0.50, 5.1.23BK	OS:	Any
Assigned to:	Ramil Kalimullin	CPU Architecture:	Any

Description:
0x818b1e5 handle_segfault + 417
0x83c9b99 my_mb_wc_big5 + 17
0x8189b77 copy_and_convert(char*, unsigned int, charset_info_st*, char const*, unsigned int, charset_info_st*, unsigned int*) + 71
0x818918b String::copy(char const*, unsigned int, charset_info_st*, charset_info_st*, unsigned int*) + 159
0x814f10b Item_func_conv_charset::val_str(String*) + 99
0x81330fc Item_func_locate::val_int() + 60
0x81dba43 evaluate_join_record(JOIN*, st_join_table*, int, char*) + 163
0x81d4d6a sub_select(JOIN*, st_join_table*, bool) + 262
0x81db7b0 do_select(JOIN*, List<Item>*, st_table*, Procedure*) + 260
0x81d013a JOIN::exec() + 1434
0x81d17a5 _Z12mysql_selectP3THDPPP4ItemP10TABLE_LISTjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_select + 309
0x81ccfdc handle_select(THD*, st_lex*, select_result*, unsigned long) + 260
0x81a03d2 mysql_execute_command(THD*) + 678
0x81a6c3d mysql_parse(THD*, char const*, unsigned int, char const**) + 241
0x819ed46 dispatch_command(enum_server_command, THD*, char*, unsigned int) + 1198
0x819e85c do_command(THD*) + 144
0x819dec6 handle_one_connection + 646
0x40045aa7 _end + 933533303
0x40176c2e _end + 934782974
New value of fp=(nil) failed sanity check, terminating stack trace!
Please read http://dev.mysql.com/doc/mysql/en/using-stack-trace.html and follow instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do 
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x89e2920 = select col030 / col023 from t1 where position(col018 in col030) group by numgeometries(col025) order by ucase(col011) desc
thd->thread_id=16

How to repeat:
.

Suggested fix:
.

---------------------------------
testcase1
---------------------------------

drop table if exists `t1`;
create table `t1` (`col003` set('a') charset euckr collate euckr_bin not null)engine=myisam;
insert into `t1` values ();
select cast(col003 as char(1)) from t1;

---------------------------------
testcase2 (slightly different stack)
---------------------------------

drop table if exists `t1`;
create table `t1` (`col001` set('a') charset big5 collate big5_chinese_ci not null )engine=myisam;
insert into `t1` values (),();
select cast(col001 as char(1)) from t1;

So far I've only seen the following funcions in the lower level of the stack traces:

my_mb_wc_gb2312
my_mb_wc_euc_kr
my_mb_wc_sjis
my_mb_wc_big5
my_mb_wc_cp932

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/34801

ChangeSet@1.2685, 2007-10-03 11:42:44+05:00, ramil@mysql.com +11 -0
  Fix for bug #31069: crash in 'sounds like'
  and for bug #31070: crash during conversion of charsets
  
  Problem: passing a 0 byte length string to some my_mb_wc_XXX() 
  functions leads to server crash due to improper argument check.
  
  Fix: properly check arguments passed to my_mb_wc_XXX() functions.

http://lists.mysql.com/commits/34801 is ok to push

Pushed into 5.1.23-beta

Pushed into 5.0.52

Pushed into 4.1.24

Noted in 4.1.24, 5.0.52, 5.1.23 changelogs.

Internal conversion routines could fail for several multi-byte
character sets (big5, cp932, euckr, gb2312, sjis) for empty strings
or during evaluation of SOUNDS LIKE.