Bug #20152 mysql_stmt_execute() overwrites parameter buffers
Submitted: 30 May 2006 18:40 Modified: 4 Aug 2006 17:11
Reporter: Axel Schwenke Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Prepared statements Severity:S3 (Non-critical)
Version:5.0.20 OS:Linux (Linux)
Assigned to: Tomash Brechko CPU Architecture:Any

[30 May 2006 18:40] Axel Schwenke 
Description:
When sending MYSQL_TYPE_DATE data as parameter for a prepared statement, the hour, minute, second and second_part members of the client supplied MYSQL_TIME structure are written to zero. This must not happen. Parameters to prepared statements should be treated read only.

One manifestation of this bug is demonstrated in the attached test_date_time1.c program, that inserts into DATE, TIME and TIMESTAMP columns using the same MYSQL_TIME data structure on the client. As soon as the MYSQL_TYPE_DATE parameter is evaluated and sent to the server, the TIME part in the MYSQL_TIME struct is zeroed.

The second test program test_date_time2.c uses 3 separate MYSQL_TIME structs and prints them before and after mysql_stmt_execute().

How to repeat:
Create the test table:

CREATE TABLE test.t1 (
     id              INT PRIMARY KEY AUTO_INCREMENT,
     date_field      DATE,
     time_field      TIME,
     timestamp_field TIMESTAMP
)

run the attached programs:

$./test_date_time1 
insert complete

$./test_date_time2
Parameters before execute:
ts[0] = 2003-04-05 11:21:31.000000
ts[1] = 2003-04-05 11:21:31.000000
ts[2] = 2003-04-05 11:21:31.000000
insert complete
Parameters after execute:
ts[0] = 2003-04-05 00:00:00.000000
ts[1] = 2003-04-05 11:21:31.000000
ts[2] = 2003-04-05 11:21:31.000000

Look at the table contents:
mysql> select * from t1;
+----+------------+------------+---------------------+
| id | date_field | time_field | timestamp_field     |
+----+------------+------------+---------------------+
| 1  | 2003-04-05 | 120:00:00  | 2003-04-05 00:00:00 |
| 2  | 2003-04-05 | 131:21:31  | 2003-04-05 11:21:31 |
+----+------------+------------+---------------------+

obviously the first row is wrong.

Suggested fix:
rewrite store_param_date() in libmysql.c to not overwrite the provided buffer.
[31 May 2006 22:10] Jorge del Conde 
Hi Axel,

I do not see the test-files attatched to the bug report.  Can you please send them to me ?

Thanks!
[1 Jun 2006 23:24] Axel Schwenke 
test_date_time1.c

Attachment: test_date_time1.c (text/plain), 1.63 KiB.
[1 Jun 2006 23:24] Axel Schwenke 
test_date_time2.c

Attachment: test_date_time2.c (text/plain), 2.66 KiB.
[6 Jun 2006 16:59] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/7327
[18 Jun 2006 20:38] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/7818
[19 Jun 2006 18:06] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/7873
[28 Jun 2006 13:28] Konstantin Osipov 
Axel, the patch is approved. Please push it into the runtime tree.
[30 Jun 2006 8:51] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/8538
[30 Jun 2006 10:44] Tomash Brechko 
Pushed to 4.1 tagged 4.1.21.
[2 Aug 2006 15:56] Konstantin Osipov 
Fixed in 5.0.24 and 5.1.12
[4 Aug 2006 17:11] Paul DuBois 
Noted in 4.1.21, 5.0.24, 5.1.12 changelogs.

For a DATE parameter sent via a MYSQL_TIME data structure,
mysql_stmt_execute() zeroed the hour, minute, and second members of
the structure rather than treating them as read-only.