| Bug #74432 | UDF interface provides wrong length info for args which were converted to NULL | ||
|---|---|---|---|
| Submitted: | 17 Oct 2014 19:22 | ||
| Reporter: | Sveta Smirnova | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: User-defined functions ( UDF ) | Severity: | S3 (Non-critical) |
| Version: | 5.6.21 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[17 Oct 2014 19:23]
Sveta Smirnova
complete test case
Attachment: null_bug.tar.gz (application/x-gzip, text), 4.09 KiB.
[17 Oct 2014 19:24]
Sveta Smirnova
To compile test case run: cmake . -DMYSQL_DIR=/path/to/mysql/dir make To run tests: MYSQL_DIR=/path/to/mysql/dir make -f Makefile.unix test_null_bug
Description: UDF interface provides wrong length information for UDF functions in case if result of expression, converted to NULL, passed. If UDF creator does not check every argument for NULL value, function can crash. How to repeat: Create function as follows: long long null_bug(UDF_INIT *null, UDF_ARGS *args, char *is_null, char *error) { if (0 < args->lengths[0]) if (STRING_RESULT == args->arg_type[0] || DECIMAL_RESULT == args->arg_type[0]) { char* test= new char(args->lengths[0] + 1); memcpy(test, args->args[0], args->lengths[0]); test[args->lengths[0]]= '\0'; fprintf(stderr, "string: %s\n", test); } else if (INT_RESULT == args->arg_type[0]) fprintf(stderr, "numeric: %lld\n", *((long long*) args->args[0])); else if (REAL_RESULT == args->arg_type[0]) fprintf(stderr, "numeric: %e\n", *((double*) args->args[0])); return 1; } Call it as: select null_bug(unhex('z')); If I pass NULL instead of unhex('z') function works fine. Suggested fix: Provide 0 as argument length in such cases.