Bug #41797 Server crashes when calling a UDF created with a wrong return data type.
Submitted: 30 Dec 2008 15:05 Modified: 5 Jan 2009 15:49
Reporter: Santo Leto Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Server: User-defined functions ( UDF ) Severity:S2 (Serious)
Version:5.1.30, 5.0.66a-enterprise, 5.0, 5.1, 6.0 bzr OS:Any (Windows XPSP2, Linux)
Assigned to: CPU Architecture:Any
Tags: udf, user defined function

[30 Dec 2008 15:05] Santo Leto 
Description:
Server crashes when users call a UDF function if that function has been added with a wrong return data type.

I'm not sure you want fix this. 

How to repeat:
Attached please find a simple UDF for testing purposes: myudf.dll
It includes three functions:

CREATE FUNCTION `metaphon` RETURNS STRING SONAME 'myudf.dll'; 
CREATE FUNCTION `myfunc_double` RETURNS REAL SONAME 'myudf.dll'; 
CREATE FUNCTION `myfunc_int` RETURNS INTEGER SONAME 'myudf.dll';

1) Read plugin dir of your server: SHOW VARIABLES LIKE 'plugin_dir'; 
2) Copy and paste the attached dll in your plugin dir
3) Add the function myfunc_double to the server with a wrong return data type
4) Call the function

SQL Script:

USE test;
SELECT USER(), VERSION();
DROP FUNCTION IF EXISTS `myfunc_double`;
CREATE FUNCTION `myfunc_double` RETURNS STRING SONAME 'myudf.dll'; 
SELECT * FROM `mysql`.`func` WHERE `name` = 'myfunc_double';
SELECT myfunc_double(22);

Output:

mysql> USE test;
Database changed
mysql> SELECT USER(), VERSION();
+----------------+----------------------+
| USER()         | VERSION()            |
+----------------+----------------------+
| root@localhost | 5.1.30-community-log |
+----------------+----------------------+
1 row in set (0.00 sec)

mysql> DROP FUNCTION IF EXISTS `myfunc_double`;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> CREATE FUNCTION `myfunc_double` RETURNS STRING SONAME 'myudf.dll';
Query OK, 0 rows affected (0.01 sec)

mysql> SELECT * FROM `mysql`.`func` WHERE `name` = 'myfunc_double';
+---------------+-----+-----------+----------+
| name          | ret | dl        | type     |
+---------------+-----+-----------+----------+
| myfunc_double |   0 | myudf.dll | function |
+---------------+-----+-----------+----------+
1 row in set (0.00 sec)

mysql> SELECT myfunc_double(22);
ERROR 2013 (HY000): Lost connection to MySQL server during query
[30 Dec 2008 15:10] MySQL Verification Team 
Thank you for the bug report. Could you please provide the C code to compile the offended UDF?. Thanks in advance.
[30 Dec 2008 16:32] Santo Leto 
The source code is in the file sql/udf_example.c included in the MySQL source distribution. Unfortunately, I don't remember the version I used to compile that DLL. Perhaps a very old version of the code.

I would suggest you to use the latest code to compile a new DLL and try to repeat the bug with that DLL. Unfortunately I can't do this by myself.
Another idea is to use another DLL, try to import a function with a wrong data type, then call it and see if the server crashes.

Hope this helps.

Regards,
Santo.
[30 Dec 2008 18:32] Sveta Smirnova 
Thank you for the report.

Verified as described using our udf_example.
[5 Jan 2009 15:49] Georgi Kodinov 
AFAIK there's no sane way to check the return type of a C function at run time.
The correspondence C return type/SQL declared return type should be maintained by the function developer.