Bug #35480 BOM detection code crashes mysql CLI with zero-sized input
Submitted: 21 Mar 2008 11:41 Modified: 28 Jul 2008 15:15
Reporter: Domas Mituzas Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.0.54 - 5.0-bk, 5.1.23 - 5.1-bk OS:Any
Assigned to: Tatiana Azundris Nuernberg CPU Architecture:Any
Tags: patch, regression

[21 Mar 2008 11:41] Domas Mituzas 
Description:
MySQL client crashes with very unhealthy 'Bus error' in BOM detection code if no input is passed to it:

      if (!line_number &&
           (uchar) line[0] == 0xEF &&
           (uchar) line[1] == 0xBB &&
           (uchar) line[2] == 0xBF)
        line+= 3;

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00008045 in read_and_execute (interactive=false) at mysql.cc:1807
1807          if (!line_number &&
(gdb) bt
#0  0x00008045 in read_and_execute (interactive=false) at mysql.cc:1807
#1  0x0000a650 in main (argc=2, argv=0x11003e0) at mysql.cc:1205
Current language:  auto; currently c++

How to repeat:
flute:~ midom$ mysql < /dev/null
Bus error
flute:~ midom$ sleep 0 | mysql
Bus error

Suggested fix:
check if there's any data before reading it :)
[21 Mar 2008 11:42] Domas Mituzas 
changed synopsis to indicate that 'mysql' is CLI, not mysql server in general
[21 Mar 2008 11:50] Valeriy Kravchuk 
May be a duplicate of bug #34626.
[23 Apr 2008 8:08] Guilhem Bichot 
Got it today (segmentation fault under Linux 32 bit), by doing
rm /tmp/a
touch /tmp/a
/m/mysql-5.0-opt/client/mysql -uroot -S var/tmp/master.sock </tmp/a
Segmentation fault
[23 Apr 2008 9:49] Domas Mituzas 
--- client/mysql.cc.orig        2008-04-23 12:37:11.000000000 +0300
+++ client/mysql.cc     2008-04-23 12:43:24.000000000 +0300
@@ -1821,7 +1821,7 @@
         the very beginning of a text file when
         you save the file using "Unicode UTF-8" format.
       */
-      if (!line_number &&
+      if (line && !line_number &&
            (uchar) line[0] == 0xEF &&
            (uchar) line[1] == 0xBB &&
            (uchar) line[2] == 0xBF)
[24 Apr 2008 17:30] Valeriy Kravchuk 
Bug #36322 was marked as a duplicate of this one.
[4 May 2008 7:53] Hartmut Holzgraefe 
Introduced in 5.0.54 and 5.1.23, also affects the SOURCE command if the input file given to it is empty which makes this a bit more likely to be hit in RL
[30 May 2008 11:25] Domas Mituzas 
Bug#37085 was marked as a duplicate.
[15 Jun 2008 11:20] Hartmut Holzgraefe 
Looking at it again i'd say it is W2, not W1, as the workaround to test for empty input in scripts is possible but no users should be required to change their code to work around such embarrassing and easy-to-fix bugs just because we can't get it done on our side in a timely manner ...?
[19 Jun 2008 12:16] Georgi Kodinov 
Pushed in 5.1.26
[24 Jun 2008 16:09] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48400

2643 Gleb Shchepa	2008-06-24
      back-port from 5.1.
      
      Bug#35480: BOM detection code crashes mysql CLI with zero-sized input
            
      MySQL client crashed if no input was passed to it.
[26 Jun 2008 13:40] Bugs System 
Pushed into 5.0.66
[10 Jul 2008 17:49] Paul DuBois 
Noted in 5.0.66, 5.1.26 changelogs.

The code for detecting a byte order mark (BOM) caused mysql to crash
for empty input. 

Setting report to Patch queued pending push into 6.0.x.
[15 Jul 2008 22:21] Trudy Pelzer 
Bug#34626 is a duplicate.
[28 Jul 2008 13:12] Georgi Kodinov 
Pushed in 6.0.7-alpha
[28 Jul 2008 15:15] Paul DuBois 
Noted in 6.0.7 changelog.
[28 Jul 2008 16:51] Bugs System 
Pushed into 5.1.26-rc  (revid:joerg@mysql.com-20080620113208-4l7ejjmj0g0h84p7) (version source revid:joerg@mysql.com-20080620113208-4l7ejjmj0g0h84p7) (pib:3)