Bug #21311 Possible stack overrun if SP has non-latin1 name
Submitted: 27 Jul 2006 11:41 Modified: 4 Oct 2006 2:32
Reporter: Andrey Hristov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S2 (Serious)
Version:5.0 OS:Any (All)
Assigned to: Andrey Hristov CPU Architecture:Any

[27 Jul 2006 11:41] Andrey Hristov
Description:
In sp.cc, function sp_cache_routines_and_add_tables_aux()
the following code is used:
        if (!thd->net.report_error)
        {
          char n[NAME_LEN*2+2];

          /* m_qname.str is not always \0 terminated */
          memcpy(n, name.m_qname.str, name.m_qname.length);
          n[name.m_qname.length]= '\0';
          my_error(ER_SP_PROC_TABLE_CORRUPT, MYF(0), n, ret);
        }
NAME_LEN is defined in include/mysql_com.h as
#define NAME_LEN	64		/* Field/table name length */

This is the length in characters, not in bytes. If the db + name of the routine is long enough and are not latin1 -> for example cyrillic. This could lead to possible stack overrun.

How to repeat:
Check the sources.

Suggested fix:
Use n[NAMELEN * 3 * 2 + 2]
Considering that our utf8 is limited to 3 byte sequences.
[30 Aug 2006 16:12] Tomash Brechko
Approved by e-mail with several comments.
[30 Aug 2006 19:35] Petr Chardin
approved by email (after adding a test)
[27 Sep 2006 19:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/12648

ChangeSet@1.2257, 2006-09-27 21:23:17+02:00, andrey@example.com +3 -0
  Fix for bug#21311: Possible stack overrun if SP has non-latin1 name
    
  There was possible stack overrun in an edge case which handles invalid body of
  a SP in mysql.proc . That should be case when mysql.proc has been changed
  manually. Though, due to bug 21513, it can be exploited without having access
  to mysql.proc only being able to create a stored routine.
[3 Oct 2006 19:37] Dmitry Lenev
Fixed in 5.0.27 and 5.1.12
[4 Oct 2006 2:32] Paul Dubois
Noted in 5.0.27, 5.1.12 changelogs.

It was possible for a stored routine with a non-latin1 name to cause
a stack overrun.
[25 Oct 2006 16:46] Paul Dubois
The 5.0.x fix is in 5.0.30.