Bug #2113 select CONVERT(string USING non_compiled_characterset) crash mysqld
Submitted: 14 Dec 2003 17:13 Modified: 24 Dec 2003 3:47
Reporter: Miguel Solorzano Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1.1 and BK tree OS:Linux (Suse 8.2)
Assigned to: Alexander Barkov CPU Architecture:Any

[14 Dec 2003 17:13] Miguel Solorzano
Description:
The mysqld server crashes if issued a command select convert(...) with a
non-compiled character set:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.2-alpha-debug-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select convert('bar@mysql.com' using ucs2);

See call stack at the bottom.

After compiling the server with that character set the crash
no happens:

mysql> select convert('bar@mysql.com' using ucs2);
+-------------------------------------+
| convert('bar@mysql.com' using ucs2) |
+-------------------------------------+
| bar@mysql.com                       |
+-------------------------------------+
1 row in set (0.05 sec)

CALL STACK:

/home/miguel/mysqldb-4.1/libexec/mysqld: ready for connections.
Version: '4.1.2-alpha-debug-log'  socket: '/home/miguel/mysqldb-4.1/mysql.sock'  port: 3306
[New Thread 147466 (LWP 21326)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 147466 (LWP 21326)]
0x08137123 in copy_and_convert(char*, unsigned, charset_info_st*, char const*, unsigned, charset_info_st*) (to=0xbe7fee6c "", to_length=0, to_cs=0x8458bc8, from=0x8555b81 "ar@mysql.com",
    from_length=13, from_cs=0x8436620) at sql_string.cc:671
671         if ((cnvres= to_cs->cset->wc_mb(to_cs, wc, (uchar*) to, to_end)) > 0)
(gdb) backtrace full
#0  0x08137123 in copy_and_convert(char*, unsigned, charset_info_st*, char const*, unsigned, charset_info_st*) (to=0xbe7fee6c "", to_length=0, to_cs=0x8458bc8,
    from=0x8555b81 "ar@mysql.com", from_length=13, from_cs=0x8436620) at sql_string.cc:671
        cnvres = 0
        wc = 98
        from_end = (const uchar *) 0x8555b8d ""
        to_start = 0xbe7fee6c ""
        to_end = (uchar *) 0xbe7fee6c ""
#1  0x081367aa in String::copy(char const*, unsigned, charset_info_st*, charset_info_st*) (
    this=0xbe7fee4c, str=0x8555b80 "bar@mysql.com", arg_length=13, from_cs=0x8436620,
    to_cs=0x8458bc8) at sql_string.cc:243
        new_length = 0
#2  0x080fefe3 in Item_func_conv_charset::val_str(String*) (this=0x8555bf8, str=0xbe7fee4c)
    at sql_string.h:87
        arg = (class String *) 0x0
#3  0x080d6ab6 in Item::send(Protocol*, String*) (this=0x8555bf8, protocol=0x8555044,
    buffer=0xbe7fee4c) at item.cc:1323
        res = (class String *) 0xbe7fed34
        result = 24
        type = 253
#4  0x0812ca11 in select_send::send_data(List<Item>&) (this=0x8555cd8, items=@0x8555044)
    at sql_class.cc:652
        li = {<base_list_iterator> = {list = 0x8554c80, el = 0x8555c60, prev = 0x0,
    current = 0x0}, <No data fields>}
        protocol = (class Protocol *) 0x8555044
        buff = '\0' <repeats 124 times>, "\001,\004@", '\0' <repeats 12 times>, "..\004@", '\0' <repeats 12 times>, "..\004@", '\0' <repeats 12 times>, "Ðk\004@ F/@à¼T\bDï\177¾ÿû\003@0F/@0\0\0\0 F/@\220;/@\220;/@ F/@dï\177¾ey#@ F/@(\0\0\0¤ï\177¾(\0\0\0(\0\0\0à¼T\b¤ï\177¾\006ë6\b0\0\0\0\210ï\177¾\214ï\177¾\001,\004@à¼T\b fC\b´ï\177¾ýp\023\bàTC\bÌHU\b\001\0\0\0..\004@\0\0\0\0<\223B\b\0\0\0\0\0\0\0\0"...
        buffer = {Ptr = 0xbe7fee6c "", str_length = 766, Alloced_length = 766,
  alloced = false, str_charset = 0x8435c40}
        _db_func_ = 0x0
        _db_file_ = 0x0
        _db_level_ = 0
        _db_framep_ = (char **) 0x0
        item = (class Item *) 0x8555b80
#5  0x081701d4 in JOIN::exec() (this=0x8555ce8) at sql_select.cc:1092
        tmp_error = 139812072
        _db_func_ = 0xbe7ff244 "´ò\177¾úá\026\bÀHU\büLU\b"
        _db_file_ = 0x81714fe "\203Ä0\205Àut\203ì\fSè¢Õÿÿ\203Ä\020\205Àud\213E\bö\200\024\a"
        _db_level_ = 139812072
        _db_framep_ = (char **) 0x8554cfc
        curr_join = (JOIN *) 0x8554c18
        curr_all_fields = (List<Item> *) 0x8555cd8
        curr_fields_list = (List<Item> *) 0x8554c18
        curr_tmp_table = (TABLE *) 0x8555ce8
#6  0x08171558 in mysql_select(THD*, Item***, st_table_list*, unsigned, List<Item>&, Item*, unsigned, st_order*, st_order*, Item*, st_order*, unsigned long, select_result*, st_select_lex_unit*, st_select_lex*) (thd=0x85548c0, rref_pointer_array=0x8554cfc, tables=0x0, wild_num=0,
    fields=@0x8554c80, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0,
    proc_param=0x0, select_options=8669696, result=0x8555cd8, unit=0x8554b44,
    select_lex=0x8554c18) at sql_select.cc:1601
        err = -1098911052
        free_join = true
        _db_func_ = 0x85548c0 "X*:\b°\213C\b´\213C\b\210¼T\bHìT\bH\fU\b\217ìT\bHìT\b\020"
        _db_file_ = 0x8555cd8 "è):\bÀHU\bDKU\b"
        _db_level_ = 139807556
        _db_framep_ = (char **) 0xbe7ff2b4
        join = (JOIN *) 0x8555ce8
#7  0x0816e1fa in handle_select(THD*, st_lex*, select_result*) (thd=0x85548c0,
    lex=0x8554b38, result=0x8555cd8) at sql_select.cc:182
        res = 139807768
        select_lex = (SELECT_LEX *) 0x8554c18
        _db_func_ = 0x812c829 "\203Ä\020\211C\004\213]üÉÃU\211åS\203ì\020\213]\bÇ\003(*:\bÿ54\216C\bè­.úÿ\203Ä\020\211C\004\213]üÉÃU\211å\203ì\fÿu\020ÿu\f\213E\bÿp\004è¡]"
        _db_file_ = 0x1 <Address 0x1 out of bounds>
        _db_level_ = 12
        _db_framep_ = (char **) 0xbe7ff784
#8  0x0814cd59 in mysql_execute_command(THD*) (thd=0x85548c0) at sql_parse.cc:2221
        want_priv = 139812056
        res = 0
        lex = (LEX *) 0x8554b38
        tables = (TABLE_LIST *) 0x0
        select_lex = (SELECT_LEX *) 0x8554c18
        unit = (SELECT_LEX_UNIT *) 0x8554b44
        _db_func_ = 0x0
        _db_file_ = 0x0
        _db_level_ = 0
        _db_framep_ = (char **) 0x0
#9  0x0815086a in mysql_parse(THD*, char*, unsigned) (thd=0x85548c0,
    inBuf=0x8555b40 "select convert('bar@mysql.com' using ucs2)", length=139807544)
    at sql_parse.cc:3927
        lex = (LEX *) 0x8554b38
        _db_func_ = 0x85548c0 "X*:\b°\213C\b´\213C\b\210¼T\bHìT\bH\fU\b\217ìT\bHìT\b\020"
        _db_file_ = 0x3 <Address 0x3 out of bounds>
        _db_level_ = 139806912
        _db_framep_ = (char **) 0xbe7ff9d4
#10 0x0814b0dc in dispatch_command(enum_server_command, THD*, char*, unsigned) (
    command=COM_QUERY, thd=0x85548c0, packet=0x854ec49 "", packet_length=43)
    at sql_parse.cc:1387
        net = (NET *) 0x85548cc
        error = false
        _db_func_ = 0xbe7ff8fc ""
        _db_file_ = 0x4003d7ae "\211ò\210\220\201"
        _db_level_ = 3196057924
        _db_framep_ = (char **) 0x2b
        start_of_query = 139806912
#11 0x0814ab44 in do_command(THD*) (thd=0x85548c0) at sql_parse.cc:1217
        packet = 0x854ec48 "\001"
        old_timeout = 30
        packet_length = 43
        net = (NET *) 0x85548cc
        command = COM_QUERY
        _db_func_ = 0x812ac8d "\203Ä\020\213]üÉÃ\220U\211åS\203ì\020\213]\bSè:"
        _db_file_ = 0x85554bc "0nT\b"
        _db_level_ = 8192
        _db_framep_ = (char **) 0x1000
#12 0x0814a18e in handle_one_connection (arg=0x0) at sql_parse.cc:979
        error = -1098912460
        net = (NET *) 0x85548cc
        thd = (class THD *) 0x85548c0
        launch_time = 0
        set = {__val = {0 <repeats 32 times>}}
#13 0x4003ec60 in pthread_start_thread () from /lib/libpthread.so.0
No symbol table info available.
#14 0x4003ecdf in pthread_start_thread_event () from /lib/libpthread.so.0

How to repeat:
See description.

Suggested fix:
Send a message error for non-compiled character set.
[24 Dec 2003 3:47] Alexander Barkov
I think I fixed it. I did not add a test though. 
I don't the best way to add it :(
[24 Dec 2003 3:47] Alexander Barkov
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html