Bug #35480 BOM detection code crashes mysql CLI with zero-sized input
Submitted: 21 Mar 2008 12:41 Modified: 28 Jul 2008 17:15
Reporter: Domas Mituzas
Status: Closed
Category:Client Severity:S3 (Non-critical)
Version:5.0.54 - 5.0-bk, 5.1.23 - 5.1-bk OS:Any
Assigned to: Tatjana A. Nuernberg Target Version:5.0+
Tags: patch, regression
Triage: D2 (Serious) / R1 (None/Negligible) / E1 (None/Negligible)

[21 Mar 2008 12:41] Domas Mituzas 
Description:
MySQL client crashes with very unhealthy 'Bus error' in BOM detection code if no input is
passed to it:

      if (!line_number &&
           (uchar) line[0] == 0xEF &&
           (uchar) line[1] == 0xBB &&
           (uchar) line[2] == 0xBF)
        line+= 3;

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00008045 in read_and_execute (interactive=false) at mysql.cc:1807
1807          if (!line_number &&
(gdb) bt
#0  0x00008045 in read_and_execute (interactive=false) at mysql.cc:1807
#1  0x0000a650 in main (argc=2, argv=0x11003e0) at mysql.cc:1205
Current language:  auto; currently c++

How to repeat:
flute:~ midom$ mysql < /dev/null
Bus error
flute:~ midom$ sleep 0 | mysql
Bus error

Suggested fix:
check if there's any data before reading it :)
[21 Mar 2008 12:42] Domas Mituzas 
changed synopsis to indicate that 'mysql' is CLI, not mysql server in general
[21 Mar 2008 12:50] Valeriy Kravchuk 
May be a duplicate of bug #34626.
[23 Apr 2008 10:08] Guilhem Bichot 
Got it today (segmentation fault under Linux 32 bit), by doing
rm /tmp/a
touch /tmp/a
/m/mysql-5.0-opt/client/mysql -uroot -S var/tmp/master.sock </tmp/a
Segmentation fault
[23 Apr 2008 11:49] Domas Mituzas 
--- client/mysql.cc.orig        2008-04-23 12:37:11.000000000 +0300
+++ client/mysql.cc     2008-04-23 12:43:24.000000000 +0300
@@ -1821,7 +1821,7 @@
         the very beginning of a text file when
         you save the file using "Unicode UTF-8" format.
       */
-      if (!line_number &&
+      if (line && !line_number &&
            (uchar) line[0] == 0xEF &&
            (uchar) line[1] == 0xBB &&
            (uchar) line[2] == 0xBF)
[24 Apr 2008 19:30] Valeriy Kravchuk 
Bug #36322 was marked as a duplicate of this one.
[4 May 2008 9:53] Hartmut Holzgraefe 
Introduced in 5.0.54 and 5.1.23, also affects the SOURCE command if the input file given
to it is empty which makes this a bit more likely to be hit in RL
[30 May 2008 13:25] Domas Mituzas 
Bug#37085 was marked as a duplicate.
[15 Jun 2008 13:20] Hartmut Holzgraefe 
Looking at it again i'd say it is W2, not W1, as the workaround to test for empty input in
scripts is possible but no users should be required to change their code to work around
such embarrassing and easy-to-fix bugs just because we can't get it done on our side in a
timely manner ...?
[19 Jun 2008 14:16] Georgi Kodinov 
Pushed in 5.1.26
[24 Jun 2008 18:09] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48400

2643 Gleb Shchepa	2008-06-24
      back-port from 5.1.
      
      Bug#35480: BOM detection code crashes mysql CLI with zero-sized input
            
      MySQL client crashed if no input was passed to it.
[26 Jun 2008 15:40] Bugs System 
Pushed into 5.0.66
[10 Jul 2008 19:49] Paul DuBois 
Noted in 5.0.66, 5.1.26 changelogs.

The code for detecting a byte order mark (BOM) caused mysql to crash
for empty input. 

Setting report to Patch queued pending push into 6.0.x.
[16 Jul 2008 0:21] Trudy Pelzer 
Bug#34626 is a duplicate.
[28 Jul 2008 15:12] Georgi Kodinov 
Pushed in 6.0.7-alpha
[28 Jul 2008 17:15] Paul DuBois 
Noted in 6.0.7 changelog.
[28 Jul 2008 18:51] Bugs System 
Pushed into 5.1.26-rc  (revid:joerg@mysql.com-20080620113208-4l7ejjmj0g0h84p7) (version
source revid:joerg@mysql.com-20080620113208-4l7ejjmj0g0h84p7) (pib:3)