Bug #34021 Character sets: crash if concatenate utf32 and number
Submitted: 23 Jan 2008 21:00 Modified: 12 May 2009 1:32
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Charsets Severity:S3 (Non-critical)
Version:6.0.5-alpha-debug OS:Linux (SUSE 10 / 64-bit)
Assigned to: Alexander Barkov CPU Architecture:Any

[23 Jan 2008 21:00] Peter Gulutzan 
Description:
I create a table with a utf32 column.
I insert one row.
I select from the table with CONCAT(utf32 column, number).
Crash.

How to repeat:
mysql> create table tno (s1 char(5) character set utf32);
Query OK, 0 rows affected (0.04 sec)

mysql> insert into tno values ('a');
Query OK, 1 row affected (0.00 sec)

mysql> insert into tno select concat(s1,1) from tno;
ERROR 2013 (HY000): Lost connection to MySQL server during query
[25 Jan 2008 11:24] Sveta Smirnova 
Thank you for the report.

Verified as described.
[4 Dec 2008 12:27] Alexander Barkov 
Workaround: use CAST for number:

drop table if exists t1;
create table t1 (s1 char(5) character set utf32);
insert into t1 values ('a');
insert into t1 select concat(s1,cast(1 as char)) from t1;
select hex(s1) from t1;

+------------------+
| hex(s1)          |
+------------------+
| 00000061         |
| 0000006100000031 |
+------------------+
2 rows in set (0.00 sec)
[4 Dec 2008 13:44] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/60606

2772 Alexander Barkov	2008-12-04
      Bug#34021 Character sets: crash if concatenate utf32 and number
      
      Problem: When inserting a CONCAT between an UTF32 string
      and a number into an UTF32 column, mysqld could crashed.
      That happened was:
      - Item_num::safe_charset_converter() returned wrong length,
      which is not divisible by mbminlen=4.
      - As a result, Item_func_concat() returned wrong length.
      - Then this call stack happened:
        Field_string::store() ->
        well_formed_copy_nchars() ->
        to_cs->cset->well_formed_len() ->
        my_well_formed_len_utf32()
      - The latter call crashed on assert:
        DBUG_ASSERT((length % 4) == 0);
      
      Fix: Item_num_safe_charset_converter() now adds leading
      zeros if str_val() returned a string with length not
      divisible by mbminlen.
[24 Dec 2008 8:24] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/62286

2823 Alexander Barkov	2008-12-24
      Bug#34021 Character sets: crash if concatenate utf32 and number
            
      Problem:
        When inserting a CONCAT between an UTF32 string
        and a number into an UTF32 column, mysqld could crash.
        That happened was:
      - Item_num::safe_charset_converter() returned wrong length,
        which is not divisible by mbminlen=4.
      - As a result, Item_func_concat() returned wrong length.
      - Then this call stack happened:
        Field_string::store() ->
        well_formed_copy_nchars() ->
        to_cs->cset->well_formed_len() ->
        my_well_formed_len_utf32()
      - The last call crashed on assert:
        DBUG_ASSERT((length % 4) == 0);
      
      Fix:
        Item_num_safe_charset_converter() now adds leading
        zeros if str_val() returned a string with length not
        divisible by mbminlen.
[7 Apr 2009 6:11] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/71495

3184 Alexander Barkov	2009-04-07
      Bug#34021 Character sets: crash if concatenate utf32 and number
                  
            Problem:
              When inserting a CONCAT between an UTF32 string
              and a number into an UTF32 column, mysqld could crash.
              That happened was:
            - Item_num::safe_charset_converter() returned wrong length,
              which is not divisible by mbminlen=4.
            - As a result, Item_func_concat() returned wrong length.
            - Then this call stack happened:
              Field_string::store() ->
              well_formed_copy_nchars() ->
              to_cs->cset->well_formed_len() ->
              my_well_formed_len_utf32()
            - The last call crashed on assert:
              DBUG_ASSERT((length % 4) == 0);
            
            Fix:
              Item_num_safe_charset_converter() now adds leading
              zeros if str_val() returned a string with length not
              divisible by mbminlen.
      
      
      modified:
        mysql-test/r/ctype_utf32.result
        mysql-test/t/ctype_utf32.test
        sql/item.cc
[7 Apr 2009 6:21] Alexander Barkov 
Pushed into 6.0-bugtea, currently marked as 6.0.11.
[6 May 2009 14:09] Bugs System 
Pushed into 6.0.12-alpha (revid:svoj@sun.com-20090506125450-yokcmvqf2g7jhujq) (version source revid:bar@mysql.com-20090407060103-ghb9vaj2dbf996kv) (merge vers: 6.0.11-alpha) (pib:6)
[12 May 2009 1:32] Paul DuBois 
Noted in 6.0.12 changelog.

Inserting the result of CONCAT() invoked with a utf32 string and a
number for arguments caused a server crash.