| Bug #49134 | 5.1 server segfaults with 2byte collation file | ||
|---|---|---|---|
| Submitted: | 26 Nov 2009 11:03 | Modified: | 12 Mar 2010 16:45 |
| Reporter: | Nidhi Shrotriya | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Charsets | Severity: | S3 (Non-critical) |
| Version: | 5.1.41 | OS: | Any |
| Assigned to: | Alexander Barkov | CPU Architecture: | Any |
[26 Nov 2009 11:03]
Nidhi Shrotriya
[27 Nov 2009 6:27]
Sveta Smirnova
Thank you for the report. Verified as described.
[10 Dec 2009 12:41]
Alexander Barkov
Nidhi, Sveta, which queries did you use to make old server crash? Thanks!
[11 Dec 2009 8:12]
Sveta Smirnova
No query, just start with this option. Not repeatable for me with current 5.1.43.
[14 Dec 2009 11:19]
Alexander Barkov
I cannot reproduce with mysql-5.1-bugfixing tree. mysql> select version(); +--------------+ | version() | +--------------+ | 5.1.41-debug | +--------------+ 1 row in set (0.00 sec) mysql> show variables like 'character_sets_dir'; +--------------------+----------------------------------------------------------------------+ | Variable_name | Value | +--------------------+----------------------------------------------------------------------+ | character_sets_dir | /home/bar/mysql-bzr/mysql-next-mr-bar/mysql-test/std_data/Index.xml/ | +--------------------+----------------------------------------------------------------------+ 1 row in set (0.00 sec)
[14 Dec 2009 12:56]
Alexander Barkov
Crash is not always repeatable with mysql-5.1.42-bugteam
However, after analysing the code, I think that
the function add_collation() in charset.c does
not check that cs->number is within the size
of the array all_charsets, which is 256 in 5.1.
When loading an Index.xml file with a 2-byte collation ID,
all_charset[cs->number] points outside of all_charsets range.
So the code should be fixed to check that cs->number
is not greater thant array_elements(all_charsets).
Adding this piece of code with a very huge collation ID
into Index.xml makes server crash:
<collation name="utf8_hugeid_ci" id="2047000000">
<rules>
<reset>a</reset>
<s>b</s>
</rules>
</collation>
[14 Dec 2009 13:03]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/93905 3269 Alexander Barkov 2009-12-14 Bug#49134 5.1 server segfaults with 2byte collation file Problem: add_collation did not check that cs->number is smaller than the number of elements in the array all_charsets[], so server could crash when loading an Index.xml file with a collation ID greater the number of elements (for example when downgrading from 5.5). Fix: adding a condition to check that cs->number is not out of valid range.
[15 Dec 2009 9:53]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/94080 3274 Alexander Barkov 2009-12-15 Bug#49134 5.1 server segfaults with 2byte collation file Problem: add_collation did not check that cs->number is smaller than the number of elements in the array all_charsets[], so server could crash when loading an Index.xml file with a collation ID greater the number of elements (for example when downgrading from 5.5). Fix: adding a condition to check that cs->number is not out of valid range.
[15 Dec 2009 10:15]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/94084 3776 Alexander Barkov 2009-12-15 [merge] Merging Bug#49134 from mysql-5.1-bugteam
[15 Dec 2009 10:16]
Alexander Barkov
Pushed into: mysql-5.1-bugteam (5.1.42) mysql-pe (6.0.14)
[19 Dec 2009 8:28]
Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091219082307-f3i4fn0tm8trb3c0) (version source revid:alik@sun.com-20091216180721-eoa754i79j4ssd3m) (merge vers: 6.0.14-alpha) (pib:15)
[19 Dec 2009 8:32]
Bugs System
Pushed into 5.5.1-m2 (revid:alik@sun.com-20091219082021-f34nq4jytwamozz0) (version source revid:alexey.kopytov@sun.com-20091216134707-o96eqw0u2ynvo9gm) (merge vers: 5.5.0-beta) (pib:15)
[19 Dec 2009 8:36]
Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20091219082213-nhjjgmphote4ntxj) (version source revid:alik@sun.com-20091216180221-a5ps59gajad3pip9) (pib:15)
[8 Jan 2010 1:15]
Paul DuBois
Bug affects 5.1, so no changelog entry needed for 5.5+. Setting report to NDI pending push to 5.1.x.
[15 Jan 2010 9:00]
Bugs System
Pushed into 5.1.43 (revid:joro@sun.com-20100115085139-qkh0i0fpohd9u9p5) (version source revid:bar@mysql.com-20091215094829-a67epp1rbkkkw1rc) (merge vers: 5.1.42) (pib:16)
[22 Jan 2010 1:16]
Paul DuBois
Noted in 5.1.43 changelog. MySQL 5.1 does not support 2-byte collation numbers, but did not check the number and crashed for out-of-range values.
[12 Mar 2010 14:19]
Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:34]
Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:50]
Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
