Bug #74432 UDF interface provides wrong length info for args which were converted to NULL
Submitted: 17 Oct 2014 19:22
Reporter: Sveta Smirnova Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: User-defined functions ( UDF ) Severity:S3 (Non-critical)
Version:5.6.21 OS:Any
Assigned to: CPU Architecture:Any
Triage: Needs Triage: D1 (Critical)

[17 Oct 2014 19:22] Sveta Smirnova
Description:
UDF interface provides wrong length information for UDF functions in case if result of expression, converted to NULL, passed. If UDF creator does not check every argument for NULL value, function can crash.

How to repeat:
Create function as follows:

long long null_bug(UDF_INIT *null, UDF_ARGS *args, char *is_null, char *error)
{
	if (0 < args->lengths[0])
		if (STRING_RESULT == args->arg_type[0] || DECIMAL_RESULT == args->arg_type[0])
		{
			char* test= new char(args->lengths[0] + 1);
			memcpy(test, args->args[0], args->lengths[0]);
			test[args->lengths[0]]= '\0';
			fprintf(stderr, "string: %s\n", test);
		}
		else if (INT_RESULT == args->arg_type[0])
			fprintf(stderr, "numeric: %lld\n", *((long long*) args->args[0]));
		else if (REAL_RESULT == args->arg_type[0])
                        fprintf(stderr, "numeric: %e\n", *((double*) args->args[0]));

	return 1;
}

Call it as:

select null_bug(unhex('z'));

If I pass NULL instead of unhex('z') function works fine.

Suggested fix:
Provide 0 as argument length in such cases.
[17 Oct 2014 19:23] Sveta Smirnova
complete test case

Attachment: null_bug.tar.gz (application/x-gzip, text), 4.09 KiB.

[17 Oct 2014 19:24] Sveta Smirnova
To compile test case run:

cmake . -DMYSQL_DIR=/path/to/mysql/dir
make

To run tests:

MYSQL_DIR=/path/to/mysql/dir make -f Makefile.unix test_null_bug