| Bug #35658 | An empty binary value leads to mysqld crash | ||
|---|---|---|---|
| Submitted: | 28 Mar 2008 19:12 | Modified: | 10 Jul 2008 19:55 |
| Reporter: | Kay Roepke | ||
| Status: | Closed | ||
| Category: | Server: Parser | Severity: | S1 (Critical) |
| Version: | 5.0, 5.1, 6.0 | OS: | Any |
| Assigned to: | Marc Alff | Target Version: | |
| Triage: | D1 (Critical) | ||
[28 Mar 2008 19:12]
Kay Roepke
[28 Mar 2008 20:05]
Kay Roepke
select x''; does not cause a crash. Comparing the two methods should indicate the fix.
[2 Apr 2008 22:48]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/44815 ChangeSet@1.2599, 2008-04-02 14:48:27-06:00, malff@lambda.hsd1.co.comcast.net. +3 -0 Bug#35658 (An empty binary value leads to mysqld crash) Before this fix, the following tokens: x'' b'' were parser by the lexer as a HEX_NUM and BIN_NUM, but with a wrong value. This caused the parser to later crash when using the value string (for binary), or produce undocumented results (x'' was considered an hexadecimal value of 0). With this fix, these tokens are properly detected as mal formed hexadecimal and binary literals.
[3 Apr 2008 10:26]
Sergei Golubchik
According to the SQL standard (part 2 foundations, section 5.3 <literal>):
<binary string literal> ::=
X <quote> [ { <hexit> <hexit> }... ] <quote>
[ { <separator> <quote> [ { <hexit> <hexit> }... ] <quote> }... ]
That is, a binary string literal must have an even number of digits, and (!!!) zero
digits is allowed.
[3 Apr 2008 13:53]
Kay Roepke
Sergei,
After re-reading the grammar in the standard, I do not concur (at least not for the copy
of SQL 99 I have).
There are two separate rules listed:
<hex string literal> ::=
X <quote> [ <hexit>... ] <quote>
[ { <separator> <quote> [ <hexit>... ] <quote> }... ]
and
<binary string literal> ::=
X <quote> [ { <hexit> <hexit> }... ] <quote>
[ { <separator> <quote> [ { <hexit> <hexit> }... ] <quote> }... ]
The first one would allow e.g. X'a'.
In fact, Syntax Rules 3) specifically states that both the following are equivalent:
X'0a' == X'0' 'a'.
Furthermore, the declared type of <hex string literal> is a fixed length bit string and
those are not required to be of even length, AFAICS (according to section 4.4)
Do you know whether the above is correct and if the standard says anything about the
expected value of B'' and X''?
[3 Apr 2008 14:20]
Kay Roepke
After discussing this, we determined that SQL2003 differs in its grammar from SQL99 (the one I looked at) and requires an even length of the hex digits in hex strings. We should enforce an even length of hex literal strings and allow x'' to be the empty string (i.e. evaluate to 0 in numeric context). The same applies to b'' (without the even length requirement).
[3 Apr 2008 20:13]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/44886 ChangeSet@1.2599, 2008-04-03 12:12:53-06:00, malff@lambda.hsd1.co.comcast.net. +3 -0 Bug#35658 (An empty binary value leads to mysqld crash) Before this fix, the following token b'' caused the parser to crash when reading the binary value from the empty string. The crash was caused by: ptr+= max_length - 1; because max_length is unsigned and was 0, causing an overflow. With this fix, an empty binary literal b'' is parsed as a binary value 0, in Item_bin_string.
[28 May 2008 12:02]
Bugs System
Pushed into 6.0.6-alpha
[27 Jun 2008 12:34]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/48628 2676 Gleb Shchepa 2008-06-27 backport to 5.1 from 6.0 Bug#35658 (An empty binary value leads to mysqld crash) Before this fix, the following token b'' caused the parser to crash when reading the binary value from the empty string. The crash was caused by: ptr+= max_length - 1; because max_length is unsigned and was 0, causing an overflow. With this fix, an empty binary literal b'' is parsed as a binary value 0, in Item_bin_string.
[27 Jun 2008 12:40]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/48629 2676 Gleb Shchepa 2008-06-27 backport to 5.1 from 6.0 Bug#35658 (An empty binary value leads to mysqld crash) Before this fix, the following token b'' caused the parser to crash when reading the binary value from the empty string. The crash was caused by: ptr+= max_length - 1; because max_length is unsigned and was 0, causing an overflow. With this fix, an empty binary literal b'' is parsed as a binary value 0, in Item_bin_string.
[27 Jun 2008 15:23]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/48641 2660 Gleb Shchepa 2008-06-27 buckport to 5.1.26 from 6.0 Bug#35658 (An empty binary value leads to mysqld crash) Before this fix, the following token b'' caused the parser to crash when reading the binary value from the empty string. The crash was caused by: ptr+= max_length - 1; because max_length is unsigned and was 0, causing an overflow. With this fix, an empty binary literal b'' is parsed as a binary value 0, in Item_bin_string.
[27 Jun 2008 16:35]
Georgi Kodinov
Bug #37655 marked as a duplicate of this one.
[27 Jun 2008 16:36]
Georgi Kodinov
Pushed in 5.1.26
[27 Jun 2008 17:58]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/48657 2645 Gleb Shchepa 2008-06-27 backport from 6.0 Bug#35658 (An empty binary value leads to mysqld crash) Before this fix, the following token b'' caused the parser to crash when reading the binary value from the empty string. The crash was caused by: ptr+= max_length - 1; because max_length is unsigned and was 0, causing an overflow. With this fix, an empty binary literal b'' is parsed as a binary value 0, in Item_bin_string.
[27 Jun 2008 18:00]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/48658 2645 Gleb Shchepa 2008-06-27 backport from 6.0 Bug#35658 (An empty binary value leads to mysqld crash) Before this fix, the following token b'' caused the parser to crash when reading the binary value from the empty string. The crash was caused by: ptr+= max_length - 1; because max_length is unsigned and was 0, causing an overflow. With this fix, an empty binary literal b'' is parsed as a binary value 0, in Item_bin_string.
[27 Jun 2008 19:41]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/48669 2661 Joerg Bruehe 2008-06-27 [merge] Merge the fix for bug#37623 (Suffix "-64bit" is duplicated) from 5.0 into the 5.1.26 release clone.
[27 Jun 2008 22:36]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/48679 2678 Gleb Shchepa 2008-06-27 [merge] auto merge from local tree
[9 Jul 2008 14:40]
Georgi Kodinov
Pushed in 5.0.66
[10 Jul 2008 19:55]
Paul DuBois
Noted in 5.0.66, 5.1.26, 6.0.6 changelogs. An empty bit-string literal (b'') caused a server crash. Now the value is parsed as having binary value 0.
[11 Jul 2008 13:28]
Susanne Ebrecht
Bug #38032 was set as duplicate of this bug here.
[11 Jul 2008 18:45]
Paul DuBois
To better describe the format of hex values (and whether they require an even number of digits), I've added this paragraph to http://dev.mysql.com/doc/refman/5.0/en/hexadecimal-values.html: MySQL supports hexadecimal values, written using X'val', x'val', or 0xval format, where val contains hexadecimal digits (0..9, A..F). Lettercase of the digits does not matter. For values written using X'val' or x'val' format, val must contain an even number of digits. For values written using 0xval syntax, values that contain an odd number of digits are treated as having an extra leading 0. For example, 0x0a and 0xaaa are interpreted as 0x0a and 0x0aaa.
[9 Sep 2008 12:10]
Shane Bester
bug #39336 was marked as a duplicate of this
[17 Sep 2008 8:12]
Jaga Arikela
I am unable to reproduce this bug on my Machine. I am running mysql server 5.0.45 vesion on a Windows XP machine. Please help me in reproducing the bug.