Bug #103 Bug in mysys/charset.c:get_word()
Submitted: 26 Feb 2003 11:55 Modified: 26 Apr 2003 6:00
Reporter: [ name withheld ] Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:3.23.55 OS:
Assigned to: Alexander Barkov CPU Architecture:Any

[26 Feb 2003 11:55] [ name withheld ]
Description:
Here is get_word function:                                                                                                    
                                                                                                                              
static my_bool get_word(struct simpleconfig_buf_st *fb, char *buf)                                                            
{                                                                                                                             
  char *endptr=fb->p;                                                                                                         
                                                                                                                              
  for (;;)                                                                                                                    
  {                                                                                                                           
    while (isspace(*endptr))                                                                                                  
      ++endptr;                                                                                                               
    if (*endptr && *endptr != '#')              /* Not comment */                                                             
      break;                                    /* Found something */                                                         
    if ((fgets(fb->buf, sizeof(fb->buf), fb->f)) == NULL)                                                                     
      return TRUE; /* end of file */                                                                                          
    endptr = fb->buf;                                                                                                         
  }                                                                                                                           
                                                                                                                              
  while (!isspace(*endptr))                                                                                                   
    *buf++= *endptr++;                                                                                                        
  *buf=0;                                                                                                                     
  fb->p = endptr;                                                                                                             
                                                                                                                              
  return FALSE;                                                                                                               
}                                                                                                                             
                                                                                                                              
It is called from fill_array(), which is called from read_charset_file().                                                     
Consider charset file which ends like this:                                                                                   
                                                                                                                              
...                                                                                                                           
  B8  BA  BC  BE  C0  C2  C4  C6  C8  CA  CC  CE  D0  D2  D4  D6<EOF HERE>                                                    
                                                                                                                              
Ie. no '\n' at the end of file (file comes from developer on Windows                                                          
machine, and Windows editors tends to strip final newline for some reason).                                                   
The affected line is:                                                                                                         
                                                                                                                              
  while (!isspace(*endptr))                                                                                                   
                                                                                                                              
It will hit '\0' (or other arbitrary value if line is longer than buffer)                                                     
when its past the data read by fgets() which is not whitespace character as                                                   
assumed. isspace() returns false and copying process will continue with                                                       
unexpected results.                                                                                                          

How to repeat:

Suggested fix:
Should be changed to (*endptr && !isspace(*endptr)).
[11 Mar 2003 12:59] Lenz Grimmer
Bar, could you please have a look at this?
[26 Apr 2003 6:00] Michael Widenius
Thank you for your bug report. This issue has been fixed in the latest
development tree for that product. You can find more information about
accessing our development trees at 
    http://www.mysql.com/doc/en/Installing_source_tree.html

Fixed in 3.23 tree