Bug #29804 UDF parameters don't contain correct string length
Submitted: 14 Jul 2007 23:40 Modified: 23 Oct 2007 0:30
Reporter: Todd Farmer (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: User-defined functions ( UDF ) Severity:S1 (Critical)
Version:5.0 OS:Any
Assigned to: Damien Katz CPU Architecture:Any
Tags: bfsm_2007_07_19

[14 Jul 2007 23:40] Todd Farmer
Description:
When a UDF is called from a trigger, the parameters do not contain the correct values for arg->length[i].  Because strings are not guaranteed to be null-terminated (and in fact, are not in this case), the parameter can contain corrupt data.

How to repeat:
1. Create nametest UDF using the attached C++ file.  
2. Install the nametest function.
3. Execute attached script, observing output to server error log.

Suggested fix:
Pass the correct length in args->length[i].
[14 Jul 2007 23:41] Todd Farmer
nametest UDF

Attachment: nametest.cpp (text/plain), 1.80 KiB.

[14 Jul 2007 23:42] Todd Farmer
makefile

Attachment: Makefile (application/octet-stream, text), 411 bytes.

[14 Jul 2007 23:42] Todd Farmer
trigger and table structure

Attachment: dump.sql (application/octet-stream, text), 2.22 KiB.

[16 Jul 2007 7:00] Sveta Smirnova
Thank you for the report.

Verified as described.
[3 Aug 2007 20:12] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/32091

ChangeSet@1.2502, 2007-08-03 16:12:23-04:00, dkatz@damien-katzs-computer.local +4 -0
  Bug #29804  UDF parameters don't contain correct string length
  
  Previously, UDF *_init functions were passed constant strings with erroneous lengths. The length came from the containing variable's size, not the length of the value itself.
  
  Now the *_init functions get the constant as a null terminated string with the correct length supplied.
[9 Aug 2007 8:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/32281

ChangeSet@1.2588, 2007-08-09 10:21:28+02:00, msvensson@pilot.(none) +2 -0
  Bug#29804 UDF parameters don't contain correct string length
   - Fix warnings
   - Export 'check_const_len' from udf_example.dll
[13 Aug 2007 7:46] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/32430

ChangeSet@1.2564, 2007-08-13 09:46:09+02:00, msvensson@pilot.(none) +1 -0
  Bug#29804 UDF parameters don't contain correct string length
   - Export 'check_const_len_init' from udf_example.dll
[20 Aug 2007 10:20] Bugs System
Pushed into 5.1.22-beta
[29 Aug 2007 18:37] Damien Katz
Paul, the problem was only during the UDF init phase. If you have a UDF function named foo, then you can also have C function named foo_int that gets called with some compile-time information about how the call is being made, so that the C code may do optimizations, like preallocate a buffer.

The problem was that under some circumstances, the args MySQL supplied to the user init function would indicate that an arg was a constant value (always the same each time the UDF is called), but provide an max length longer than the constant value. This causes problems when user code would reasonably assume the constant length and the max length are the same, but would end up getting buffer noise after the constant. Also the constant values are usually null terminated, but under the same circumstances they might not be, meaning there was no correct way to read the constant value supplied to the init function.

The changed init behavior is to now provide the length of the constant value as the max length, and also the constant string value will always be null terminated. Runtime behavior is unchanged.
[29 Aug 2007 21:43] Todd Farmer
When does this get merged to 5.0?
[31 Aug 2007 1:33] Paul Dubois
Noted in 5.1.22 changelog.

Under some circumstances, a UDF initialization function could be
passed incorrect argument lengths.
[5 Sep 2007 19:06] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/33758

ChangeSet@1.2502, 2007-09-05 15:06:10-04:00, dkatz@damien-katzs-computer.local +5 -0
  Bug #29804  UDF parameters don't contain correct string length
    
  Previously, UDF *_init functions were passed constant strings with erroneous lengths.
  The length came from the containing variable's size, not the length of the value itself.
    
  Now the *_init functions get the constant as a null terminated string with the correct
  length supplied too.
[9 Oct 2007 15:21] Sveta Smirnova
Bug is reopen, because patch does not exist in version 5.0
[17 Oct 2007 23:31] Damien Katz
patch pushed to mysql-5.0-runtime
[18 Oct 2007 21:34] Bugs System
Pushed into 5.1.23-beta
[18 Oct 2007 21:36] Bugs System
Pushed into 5.0.52
[19 Oct 2007 18:53] Bugs System
Pushed into 5.1.23-beta
[19 Oct 2007 18:54] Bugs System
Pushed into 5.0.52
[23 Oct 2007 0:30] Paul Dubois
Also noted in 5.0.52 changelog.