Bug #49134 5.1 server segfaults with 2byte collation file
Submitted: 26 Nov 2009 11:03 Modified: 12 Mar 2010 16:45
Reporter: Nidhi Shrotriya Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Charsets Severity:S3 (Non-critical)
Version:5.1.41 OS:Any
Assigned to: Alexander Barkov CPU Architecture:Any
Triage: Triaged: D1 (Critical)

[26 Nov 2009 11:03] Nidhi Shrotriya
Description:
Using 2 byte collation IDs with 5.5 and downgrade the server to 5.1. Starting 5.1 server with --character-sets-dir=<mysql-5.5 basedir>/mysql-test/std_data with the Index.xml present segfaults the server. 

2 byte collation IDs are not supported in 5.1 but probably shouldn't segfault.

How to repeat:
As mentioned in the description.
[27 Nov 2009 6:27] Sveta Smirnova
Thank you for the report.

Verified as described.
[10 Dec 2009 12:41] Alexander Barkov
Nidhi, Sveta,

which queries did you use to make old server crash?

Thanks!
[11 Dec 2009 8:12] Sveta Smirnova
No query, just start with this option.

Not repeatable for me with current 5.1.43.
[14 Dec 2009 11:19] Alexander Barkov
I cannot reproduce with mysql-5.1-bugfixing tree.

mysql> select version();
+--------------+
| version()    |
+--------------+
| 5.1.41-debug | 
+--------------+
1 row in set (0.00 sec)

mysql> show variables like 'character_sets_dir';
+--------------------+----------------------------------------------------------------------+
| Variable_name      | Value                                                                |
+--------------------+----------------------------------------------------------------------+
| character_sets_dir | /home/bar/mysql-bzr/mysql-next-mr-bar/mysql-test/std_data/Index.xml/ | 
+--------------------+----------------------------------------------------------------------+
1 row in set (0.00 sec)
[14 Dec 2009 12:56] Alexander Barkov
Crash is not always repeatable with mysql-5.1.42-bugteam

However, after analysing the code, I think that
the function add_collation() in charset.c does
not check that cs->number is within the size
of the array all_charsets, which is 256 in 5.1.

When loading an Index.xml file with a 2-byte collation ID,
all_charset[cs->number] points outside of all_charsets range.

So the code should be fixed to check that cs->number
is not greater thant array_elements(all_charsets).

Adding this piece of code with a very huge collation ID 
into Index.xml makes server crash:

   <collation name="utf8_hugeid_ci" id="2047000000">
      <rules>
        <reset>a</reset>
        <s>b</s>
      </rules>
   </collation>
[14 Dec 2009 13:03] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/93905

3269 Alexander Barkov	2009-12-14
      Bug#49134 5.1 server segfaults with 2byte collation file
      
      Problem: add_collation did not check that cs->number is smaller
      than the number of elements in the array all_charsets[],
      so server could crash when loading an Index.xml file with
      a collation ID greater the number of elements 
      (for example when downgrading from 5.5).
      
      Fix: adding a condition to check that cs->number is not out of valid range.
[15 Dec 2009 9:53] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/94080

3274 Alexander Barkov	2009-12-15
      Bug#49134 5.1 server segfaults with 2byte collation file
      
      Problem: add_collation did not check that cs->number is smaller
      than the number of elements in the array all_charsets[],
      so server could crash when loading an Index.xml file with
      a collation ID greater the number of elements 
      (for example when downgrading from 5.5).
      
      Fix: adding a condition to check that cs->number is not out of valid range.
[15 Dec 2009 10:15] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/94084

3776 Alexander Barkov	2009-12-15 [merge]
      Merging Bug#49134 from mysql-5.1-bugteam
[15 Dec 2009 10:16] Alexander Barkov
Pushed into:
mysql-5.1-bugteam (5.1.42)
mysql-pe (6.0.14)
[19 Dec 2009 8:28] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091219082307-f3i4fn0tm8trb3c0) (version source revid:alik@sun.com-20091216180721-eoa754i79j4ssd3m) (merge vers: 6.0.14-alpha) (pib:15)
[19 Dec 2009 8:32] Bugs System
Pushed into 5.5.1-m2 (revid:alik@sun.com-20091219082021-f34nq4jytwamozz0) (version source revid:alexey.kopytov@sun.com-20091216134707-o96eqw0u2ynvo9gm) (merge vers: 5.5.0-beta) (pib:15)
[19 Dec 2009 8:36] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20091219082213-nhjjgmphote4ntxj) (version source revid:alik@sun.com-20091216180221-a5ps59gajad3pip9) (pib:15)
[8 Jan 2010 1:15] Paul Dubois
Bug affects 5.1, so no changelog entry needed for 5.5+.

Setting report to NDI pending push to 5.1.x.
[15 Jan 2010 9:00] Bugs System
Pushed into 5.1.43 (revid:joro@sun.com-20100115085139-qkh0i0fpohd9u9p5) (version source revid:bar@mysql.com-20091215094829-a67epp1rbkkkw1rc) (merge vers: 5.1.42) (pib:16)
[22 Jan 2010 1:16] Paul Dubois
Noted in 5.1.43 changelog.

MySQL 5.1 does not support 2-byte collation numbers, but did not 
check the number and crashed for out-of-range values.
[12 Mar 2010 14:19] Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:34] Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:50] Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)