Bug #35658 An empty binary value leads to mysqld crash
Submitted: 28 Mar 2008 18:12 Modified: 10 Jul 2008 17:55
Reporter: Kay Roepke Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Parser Severity:S1 (Critical)
Version:5.0, 5.1, 6.0 OS:Any
Assigned to: Marc Alff CPU Architecture:Any
Triage: D1 (Critical)

[28 Mar 2008 18:12] Kay Roepke
Description:
Using an empty binary value leads to server crash in Item_bin_string::Item_bin_string

How to repeat:
From a mysql client do
select b'';

The server crashes.

Suggested fix:
Fix Item_bin_string::Item_bin_string to deal with the empty string.
[28 Mar 2008 19:05] Kay Roepke
select x'';

does not cause a crash. Comparing the two methods should indicate the fix.
[2 Apr 2008 20:48] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/44815

ChangeSet@1.2599, 2008-04-02 14:48:27-06:00, malff@lambda.hsd1.co.comcast.net. +3 -0
  Bug#35658 (An empty binary value leads to mysqld crash)
  
  Before this fix, the following tokens:
    x''
    b''
  were parser by the lexer as a HEX_NUM and BIN_NUM, but with a wrong value.
  This caused the parser to later crash when using the value string (for
  binary), or produce undocumented results (x'' was considered an hexadecimal
  value of 0).
  
  With this fix, these tokens are properly detected as mal formed hexadecimal and
  binary literals.
[3 Apr 2008 8:26] Sergei Golubchik
According to the SQL standard (part 2 foundations, section 5.3 <literal>):

<binary string literal> ::=
    X <quote> [ { <hexit> <hexit> }... ] <quote>
    [ { <separator> <quote> [ { <hexit> <hexit> }... ] <quote> }... ]

That is, a binary string literal must have an even number of digits, and (!!!) zero digits is allowed.
[3 Apr 2008 11:53] Kay Roepke
Sergei,

After re-reading the grammar in the standard, I do not concur (at least not for the copy of SQL 99 I have). 

There are two separate rules listed:
<hex string literal> ::= 
    X <quote> [ <hexit>... ] <quote> 
    [ { <separator> <quote> [ <hexit>... ] <quote> }... ] 
and
<binary string literal> ::= 
    X <quote> [ { <hexit> <hexit> }... ] <quote> 
    [ { <separator> <quote> [ { <hexit> <hexit> }... ] <quote> }... ] 

The first one would allow e.g. X'a'.
In fact, Syntax Rules 3) specifically states that both the following are equivalent:
X'0a' == X'0' 'a'.
Furthermore, the declared type of <hex string literal> is a fixed length bit string and those are not required to be of even length, AFAICS (according to section 4.4)

Do you know whether the above is correct and if the standard says anything about the expected value of B'' and X''?
[3 Apr 2008 12:20] Kay Roepke
After discussing this, we determined that SQL2003 differs in its grammar from SQL99 (the one I looked at) and requires an even length of the hex digits in hex strings.

We should enforce an even length of hex literal strings and allow x'' to be the empty string (i.e. evaluate to 0 in numeric context). The same applies to b'' (without the even length requirement).
[3 Apr 2008 18:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/44886

ChangeSet@1.2599, 2008-04-03 12:12:53-06:00, malff@lambda.hsd1.co.comcast.net. +3 -0
  Bug#35658 (An empty binary value leads to mysqld crash)
  
  Before this fix, the following token
    b''
  caused the parser to crash when reading the binary value from the empty string.
  The crash was caused by:
    ptr+= max_length - 1;
  because max_length is unsigned and was 0, causing an overflow.
  
  With this fix, an empty binary literal b'' is parsed as a binary value 0,
  in Item_bin_string.
[28 May 2008 10:02] Bugs System
Pushed into 6.0.6-alpha
[27 Jun 2008 10:34] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48628

2676 Gleb Shchepa	2008-06-27
      backport to 5.1 from 6.0
      
      Bug#35658 (An empty binary value leads to mysqld crash)
        
      Before this fix, the following token
        b''
      caused the parser to crash when reading the binary value from the empty string.
      The crash was caused by:
        ptr+= max_length - 1;
      because max_length is unsigned and was 0, causing an overflow.
        
      With this fix, an empty binary literal b'' is parsed as a binary value 0,
      in Item_bin_string.
[27 Jun 2008 10:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48629

2676 Gleb Shchepa	2008-06-27
      backport to 5.1 from 6.0
      
      Bug#35658 (An empty binary value leads to mysqld crash)
        
      Before this fix, the following token
        b''
      caused the parser to crash when reading the binary value from the empty string.
      The crash was caused by:
        ptr+= max_length - 1;
      because max_length is unsigned and was 0, causing an overflow.
        
      With this fix, an empty binary literal b'' is parsed as a binary value 0,
      in Item_bin_string.
[27 Jun 2008 13:23] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48641

2660 Gleb Shchepa	2008-06-27
      buckport to 5.1.26 from 6.0
      
      Bug#35658 (An empty binary value leads to mysqld crash)
        
      Before this fix, the following token
        b''
      caused the parser to crash when reading the binary value from the empty string.
      The crash was caused by:
        ptr+= max_length - 1;
      because max_length is unsigned and was 0, causing an overflow.
        
      With this fix, an empty binary literal b'' is parsed as a binary value 0,
      in Item_bin_string.
[27 Jun 2008 14:35] Georgi Kodinov
Bug #37655 marked as a duplicate of this one.
[27 Jun 2008 14:36] Georgi Kodinov
Pushed in 5.1.26
[27 Jun 2008 15:58] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48657

2645 Gleb Shchepa	2008-06-27
      backport from 6.0
            
      Bug#35658 (An empty binary value leads to mysqld crash)
              
      Before this fix, the following token
        b''
      caused the parser to crash when reading the binary value from the empty string.
      The crash was caused by:
        ptr+= max_length - 1;
      because max_length is unsigned and was 0, causing an overflow.
              
      With this fix, an empty binary literal b'' is parsed as a binary value 0,
      in Item_bin_string.
[27 Jun 2008 16:00] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48658

2645 Gleb Shchepa	2008-06-27
      backport from 6.0
            
      Bug#35658 (An empty binary value leads to mysqld crash)
              
      Before this fix, the following token
        b''
      caused the parser to crash when reading the binary value from the empty string.
      The crash was caused by:
        ptr+= max_length - 1;
      because max_length is unsigned and was 0, causing an overflow.
              
      With this fix, an empty binary literal b'' is parsed as a binary value 0,
      in Item_bin_string.
[27 Jun 2008 17:41] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48669

2661 Joerg Bruehe	2008-06-27 [merge]
      Merge the fix for bug#37623  (Suffix "-64bit" is duplicated)
      from 5.0 into the 5.1.26 release clone.
[27 Jun 2008 20:36] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/48679

2678 Gleb Shchepa	2008-06-27 [merge]
      auto merge from local tree
[9 Jul 2008 12:40] Georgi Kodinov
Pushed in 5.0.66
[10 Jul 2008 17:55] Paul Dubois
Noted in 5.0.66, 5.1.26, 6.0.6 changelogs.

An empty bit-string literal (b'') caused a server crash. Now the
value is parsed as having binary value 0.
[11 Jul 2008 11:28] Susanne Ebrecht
Bug #38032 was set as duplicate of this bug here.
[11 Jul 2008 16:45] Paul Dubois
To better describe the format of hex values (and whether they require an even number of digits), I've added this paragraph to http://dev.mysql.com/doc/refman/5.0/en/hexadecimal-values.html:

MySQL supports hexadecimal values, written using X'val', x'val', or
0xval format, where val contains hexadecimal digits (0..9, A..F).
Lettercase of the digits does not matter. For values written using
X'val' or x'val' format, val must contain an even number of digits.
For values written using 0xval syntax, values that contain an odd
number of digits are treated as having an extra leading 0. For
example, 0x0a and 0xaaa are interpreted as 0x0a and 0x0aaa.
[9 Sep 2008 10:10] Shane Bester
bug #39336 was marked as a duplicate of this
[17 Sep 2008 6:12] Jaga Arikela
I am unable to reproduce this bug on my Machine. I am running mysql server 5.0.45 vesion on a Windows XP machine. Please help me in reproducing the bug.