Bug #112848 Item_func_set_user_var::get_string_value may have potion risk of memory access
Submitted: 27 Oct 2023 2:28 Modified: 27 Oct 2023 10:04
Reporter: yuxiang jiang (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Data Types Severity:S3 (Non-critical)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any

[27 Oct 2023 2:28] yuxiang jiang 
Description:
When debuging Item_func_set_user_var object for retieving value in string format like 'p suv->get_string_value()' in gdb ,
sometime the printed string value is not the valaue as expected.

When we execute SQL statement "set @v='aa';", the value is correct. But executing SQL statement "set @v=repeat('a', 2);"
we will retieve a string with more characters.

After debuging into get_string_value, in branch
  case STRING_RESULT:
  {
    if (!save_result.vstr)          // Null value                                           
      ss << "";
    else
      ss << save_result.vstr->ptr();
    break;
  }
we found that save_result.vstr->ptr() is a NULL terminated string of executing "set @v='aa'" while "set @v=repeat('a', 2);"
isn't a NULL terminate.

So I guess that "set @v=repeat('a', 2);" build a string without filling NULL to the end.

Although funtion Item_func_set_user_var::get_string_value has nowhere to be called, I think this will be a potential risk.

How to repeat:
Execute SQL statement "set @v='aa';", and print the generated object in gdb mode.

Suggested fix:
Remove this function or use real length to build string value as below.

  case STRING_RESULT:
  {
    if (!save_result.vstr)          // Null value                                           
      ss << "";
    else
    {
      string s(save_result.vstr->ptr(), save_result.vstr->length());
      ss << s;
    }
    break;
  }
[27 Oct 2023 10:04] MySQL Verification Team 
Hi Mr. Jiang,

Thank you for your bug report.

We have ran your test cases and examined your code review.

We agree with your entire report.

This is now a verified bug report.