Bug #2795 prepare + execute without bind_param crashes server
Submitted: 14 Feb 2004 11:52 Modified: 15 Mar 2004 9:49
Reporter: Georg Richter Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.1 OS:Linux (Linux/Windows)
Assigned to: Konstantin Osipov CPU Architecture:Any

[14 Feb 2004 11:52] Georg Richter
Description:
when calling mysql_prepare + mysql_execute without binding parameters server crashes:

How to repeat:
#include <mysql.h>
#include <stdio.h>

int main() {
	MYSQL		*mysql;
	MYSQL_STMT	*stmt;
	char		query[512];

	mysql = mysql_init(NULL);
	mysql_real_connect(mysql, "localhost", "root", "", "test", 0, NULL, 0);

	mysql_query(mysql, "DROP TABLE IF EXISTS t1");
	mysql_query(mysql, "CREATE TABLE t1 (a int, b varchar(20))");

	mysql_query(mysql, "INSERT INTO t1 VALUES(1,'is this a bug?')");

	strcpy(query, "SELECT a,b FROM t1 WHERE a=?");
	stmt = mysql_prepare(mysql, query, strlen(query));

	/* Boooom! */
	mysql_execute(stmt);

	mysql_stmt_close(stmt);
	mysql_close(mysql);

	return(0);
}

Suggested fix:
int STDCALL mysql_execute(MYSQL_STMT *stmt)
{
  DBUG_ENTER("mysql_execute");
+
+  if (stmt->param_count && !stmt->param_buffers) {
+    set_stmt_error(stmt, CR_INVALID_PARAMETER_NO, unknown_sqlstate);
+    DBUG_RETURN(1); 
+  }

  if ((*stmt->mysql->methods->stmt_execute)(stmt))
    DBUG_RETURN(1);
[14 Feb 2004 12:02] Konstantin Osipov
Georg, thank you for your bug report. 
It seems we already had this bug reported, and we even were fixing it...
Regarding suggested fix, if server crashes a fix should be in server code.
[17 Feb 2004 20:29] MySQL Verification Team
Tested against a server from BK tree 2 days older.

/sql_prepare.cpp

      else
      {
        param->maybe_null= param->null_value= 0;
        param->setup_param_func(param,&read_pos);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      }

Call stack:

 	a5a5a5a5()	
>	mysqld.exe!insert_params(Prepared_statement * stmt=0x02f044a0, unsigned char * pos=0x02ef4f85, unsigned char * read_pos=0x02ef4f87)  Line 473 + 0x11	C++
 	mysqld.exe!setup_params_data(Prepared_statement * stmt=0x02f044a0)  Line 506 + 0x15	C++
 	mysqld.exe!mysql_stmt_execute(THD * thd=0x02ef37b8, char * packet=0x02ef4f81)  Line 1026 + 0x15	C++
 	mysqld.exe!dispatch_command(enum_server_command command=COM_EXECUTE, THD * thd=0x02ef37b8, char * packet=0x02ef4f81, unsigned int packet_length=7)  Line 1377 + 0xd	C++
 	mysqld.exe!do_command(THD * thd=0x02ef37b8)  Line 1237 + 0x31	C++
 	mysqld.exe!handle_one_connection(void * arg=0x02ef37b8)  Line 1003 + 0x9	C++
 	mysqld.exe!pthread_start(void * param=0x02ef4cf8)  Line 63 + 0x7	C
 	mysqld.exe!_threadstart(void * ptd=0x02efbdf0)  Line 173 + 0xd	C
 	kernel32.dll!77e6d33b()
[22 Feb 2004 14:16] Konstantin Osipov
This seems to spot the same issue as bug #2473
No test case is possible too.
[26 Feb 2004 8:03] MySQL Verification Team
A bug fix has been propsed for this problem.
[15 Mar 2004 9:49] Konstantin Osipov
Fixed in 4.1.2: bk commit - 4.1 tree (konstantin:1.1790)