Bug #28522 Buffer overrun in mysqldump when using --hex-blob
Submitted: 18 May 2007 15:36 Modified: 8 Jun 2007 18:03
Reporter: Daniel Fiske Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Backup Severity:S2 (Serious)
Version:5.0.37, 5.0.42 OS:Any
Assigned to: Gleb Shchepa CPU Architecture:Any
Tags: buffer, hex-blob, mysqldump

[18 May 2007 15:36] Daniel Fiske
Description:
mysqldump calculates required memory for hex-blob string incorrectly which causes buffer overrun which causes mysqldump to crash silently in release and produce incomplete output. In debug it produces.

Error: Memory allocated at .\string.c:abc was overrun, discovered at '.\string.c:xyz'

How to repeat:
Its hard to reproduce, which is probably why no-one has noticed as far as I can tell! It happens when the output buffer string is exactly the same length as the required hex string to appended.

Suggested fix:
mysqldump.c:2442

if (dynstr_realloc(&extended_row,length * 2+2))

is incorrect

The caculation takes into account

length of blob data * 2 (i.e. 2 ascii characters per hex value) + 2 (2 characters for the 0x prefix for --hex-blob), however in 

mysqldump.c:2451-2454 and in fact mysql_hex_string(...)

extended_row.length+= mysql_hex_string(
  extended_row.str +
  extended_row.length,
  row[i], length);
extended_row.str[extended_row.length]= '\0';

...append the \0 character which is not taken into account therefore

mysqldump.c:2442

if (dynstr_realloc(&extended_row,length * 2+2))

should be

if (dynstr_realloc(&extended_row,length * 2+3))
[18 May 2007 15:54] Daniel Fiske
I assume this is still in the 5.0.41 release, but I only had the windows 5.0.37 source, so that's what I worked with.
[20 May 2007 16:07] Shane Bester
import this table, then run "mysqldump test --hex-blob"

Attachment: testcase.sql (application/octet-stream, text), 3.41 KiB.

[20 May 2007 16:08] Shane Bester
E:\builds\mysql-5.0.42-win-src\mysql-5.0.42\client\debug>mysqldump test --hex-blob --extended-insert=1
Error: Memory allocated at .\string.c:84 was overrun, discovered at '.\string.c:106'
Error: Memory allocated at .\string.c:84 was overrun, discovered at '.\string.c:106'
Error: Memory allocated at .\string.c:84 was overrun, discovered at '.\string.c:106'

Verified using attached table in testcase.sql
[25 May 2007 12:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/27337

ChangeSet@1.2501, 2007-05-25 17:24:17+05:00, gshchepa@gleb.loc +3 -0
  Fixed bug #28522:
  sometimes `mysqldump --hex-blob' overruned output buffer by '\0' byte.
  
  The dump_table() function has been fixed to reserve 1 byte more for the
  last '\0' byte of dumped string.
[4 Jun 2007 21:20] Bugs System
Pushed into 5.1.20-beta
[4 Jun 2007 21:22] Bugs System
Pushed into 5.0.44
[8 Jun 2007 18:03] Peter Lavin
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented fix in 5.0.44 and 5.1.20 changelogs.