Bug #35558 Wrong server metadata blows up the client
Submitted: 25 Mar 2008 19:06 Modified: 21 Jan 2009 16:15
Reporter: Andrey Hristov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Data Types Severity:S2 (Serious)
Version:5.0.67, 5.1.28 OS:Any
Assigned to: Sergei Glukhov CPU Architecture:Any

[25 Mar 2008 19:06] Andrey Hristov 
Description:
The server sends wrong metadata for the result of a call to the FORMAT function which leads to client memory blowup if libmysql is used when prepared statements are used. The problem however is not strictly PS it just manifests in this context.
Whatever number is passed to FORMAT it cannot end up having string representation 1431655771 digits in length. I reproduce it with 5.1, probably affects 5.0 and 6.0 too. There is a PHP bug report because of this issue (http://bugs.php.net/bug.php?id=42378  bind_result memory exhaustion)  
See the example:

How to repeat:
andrey@whirlpool:~/dev/vanilla/php5_3> mysql --column-type-info
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10542
Server version: 5.1.24-rc-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create table format_test(a float);
Query OK, 0 rows affected (0.00 sec)

mysql> insert into format_test values (1.33);
Query OK, 1 row affected (0.00 sec)

mysql> select format(a, 2) from format_test;
Field   1:  `format(a, 2)`
Catalog:    `def`
Database:   ``
Table:      ``
Org_table:  ``
Type:       LONG_BLOB
Collation:  latin1_swedish_ci (8)
Length:     1431655771  <---------------------- 1.4GB for a column??
Max_length: 4
Decimals:   31
Flags:

+--------------+
| format(a, 2) |
+--------------+
| 1.33         |
+--------------+
1 row in set (0.00 sec)
[25 Mar 2008 21:17] Valeriy Kravchuk 
Thank you for a problem report. I need some more details (character sets used etc), as I can not repeat this on 5.1.23 on Windows:

C:\Program Files\MySQL\MySQL Server 5.0\bin>mysql -uroot -proot -P3310 -T test
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.1.23-rc-community-debug MySQL Community Server - Debug (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table format_test(a float);
Query OK, 0 rows affected (0.17 sec)

mysql> insert into format_test values (1.33);
Query OK, 1 row affected (0.03 sec)

mysql> select format(a, 2) from format_test;
Field   1:  `format(a, 2)`
Catalog:    `def`
Database:   ``
Table:      ``
Org_table:  ``
Type:       VAR_STRING
Collation:  utf8_general_ci (33)
Length:     15
Max_length: 4
Decimals:   31
Flags:

+--------------+
| format(a, 2) |
+--------------+
| 1.33         |
+--------------+
1 row in set (0.06 sec)

So, it can be a recent regression.
[25 Apr 2008 23:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[10 Oct 2008 16:25] John Heinig 
I have the exact same issues with MySQL Server 5.0.67 and 5.0.45 on Windows.  

The character set is latin1.
DB Engine is InnoDB.
If there are any other details you need I can provide them.

C:\Program Files\MySQL\MySQL Server 5.0\bin>mysql --user=root --password  --debu
g-info
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.0.67-community-nt MySQL Community Edition (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use test
Database changed
mysql> create table format_test(a float);
Query OK, 0 rows affected (0.14 sec)

mysql> insert into format_test values (1.33);
Query OK, 1 row affected (0.08 sec)

mysql> select format(a, 2) from format_test;
Field   1:  `format(a, 2)`
Catalog:    `def`
Database:   ``
Table:      ``
Org_table:  ``
Type:       VAR_STRING
Collation:  latin1_swedish_ci (8)
Length:     1431655771
Max_length: 4
Decimals:   2
Flags:

+--------------+
| format(a, 2) |
+--------------+
| 1.33         |
+--------------+
1 row in set (0.00 sec)

mysql>
[10 Oct 2008 16:46] Valeriy Kravchuk 
Verified just as described with 5.0.66a and 5.1.28 on Windows:

C:\Program Files\MySQL\MySQL Server 5.0\bin>mysql -uroot -proot -P3308 -T test
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.0.66a-enterprise-gpl-nt MySQL Enterprise Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> set names latin1;
Query OK, 0 rows affected (0.03 sec)

mysql> create table format_test(a float);
Query OK, 0 rows affected (0.14 sec)

mysql>  insert into format_test values (1.33);
Query OK, 1 row affected (0.05 sec)

mysql> select format(a, 2) from format_test;
Field   1:  `format(a, 2)`
Catalog:    `def`
Database:   ``
Table:      ``
Org_table:  ``
Type:       VAR_STRING
Collation:  latin1_swedish_ci (8)
Length:     1431655771
Max_length: 4
Decimals:   2
Flags:

+--------------+
| format(a, 2) |
+--------------+
| 1.33         |
+--------------+
1 row in set (0.00 sec)

mysql> show variables like 'char%';
Field   1:  `Variable_name`
Catalog:    `def`
Database:   ``
Table:      `VARIABLES`
Org_table:  ``
Type:       VAR_STRING
Collation:  latin1_swedish_ci (8)
Length:     80
Max_length: 24
Decimals:   0
Flags:      NOT_NULL

Field   2:  `Value`
Catalog:    `def`
Database:   ``
Table:      `VARIABLES`
Org_table:  ``
Type:       VAR_STRING
Collation:  latin1_swedish_ci (8)
Length:     512
Max_length: 55
Decimals:   0
Flags:      NOT_NULL

+--------------------------+----------------------------------------------------
-----+
| Variable_name            | Value
     |
+--------------------------+----------------------------------------------------
-----+
| character_set_client     | latin1
     |
| character_set_connection | latin1
     |
| character_set_database   | utf8
     |
| character_set_filesystem | binary
     |
| character_set_results    | latin1
     |
| character_set_server     | utf8
     |
| character_set_system     | utf8
     |
| character_sets_dir       | C:\Program Files\MySQL\MySQL Server 5.0\share\chars
ets\ |
+--------------------------+----------------------------------------------------
-----+
8 rows in set (0.00 sec)

So, it depends on latin1, really.
[5 Dec 2008 12:33] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/60731

2732 Sergey Glukhov	2008-12-05
      bug#35558 Wrong server metadata blows up the client
      the problem: FORMAT func max_length value was calculated incorrectly
      the fix: correct calculation of max_length
[8 Dec 2008 14:09] Alexander Barkov 
http://lists.mysql.com/commits/60731 is ok to push.
[9 Dec 2008 10:01] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/61021

2738 Sergey Glukhov	2008-12-09
      bug#35558 Wrong server metadata blows up the client
      the problem: FORMAT func max_length value was calculated incorrectly
      the fix: correct calculation of max_length
[6 Jan 2009 13:57] Bugs System 
Pushed into 5.0.76 (revid:joro@sun.com-20090105160414-8q9j4bi1klkfwiup) (version source revid:azundris@mysql.com-20081230114734-nmsc37ak330zlygn) (merge vers: 5.0.76) (pib:6)
[8 Jan 2009 21:27] Paul DuBois 
Noted in 5.0.76 changelog.

The max_length metadata value was calculated incorrectly for the
FORMAT() function, which could cause incorrect result set metadata to
be sent to clients.

Setting report to NDI pending push into 5.1.x/6.0.x.
[15 Jan 2009 6:39] Bugs System 
Pushed into 5.1.31 (revid:joro@sun.com-20090115053147-tx1oapthnzgvs1ro) (version source revid:azundris@mysql.com-20081230114838-cn52tu180wcrvh0h) (merge vers: 5.1.31) (pib:6)
[15 Jan 2009 16:22] Paul DuBois 
Noted in 5.1.31 changelog.

Setting report to NDI pending push into 6.0.x.
[19 Jan 2009 11:25] Bugs System 
Pushed into 5.1.31-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090119095303-uwwvxiibtr38djii) (version source revid:tomas.ulin@sun.com-20090115073240-1wanl85vlvw2she1) (merge vers: 5.1.31-ndb-6.2.17) (pib:6)
[19 Jan 2009 13:03] Bugs System 
Pushed into 5.1.31-ndb-6.3.21 (revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl) (version source revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl) (merge vers: 5.1.31-ndb-6.3.21) (pib:6)
[19 Jan 2009 15:43] Jon Stephens 
Setting status back to NDI pending merge to 6.0 tree.
[19 Jan 2009 16:09] Bugs System 
Pushed into 5.1.31-ndb-6.4.1 (revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5) (version source revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5) (merge vers: 5.1.31-ndb-6.4.1) (pib:6)
[20 Jan 2009 18:56] Bugs System 
Pushed into 6.0.10-alpha (revid:joro@sun.com-20090119171328-2hemf2ndc1dxl0et) (version source revid:azundris@mysql.com-20081230114916-c290n83z25wkt6e4) (merge vers: 6.0.9-alpha) (pib:6)
[21 Jan 2009 16:15] Paul DuBois 
Noted in 6.0.10 changelog.