Bug #79396 null pointer dereference
Submitted: 24 Nov 2015 11:48 Modified: 26 Apr 2016 14:19
Reporter: Павел Гусев Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: CPU Architecture:Any

[24 Nov 2015 11:48] Павел Гусев
Description:
In file mysql-server/sql/sp.cc at line 2605 there is if-statement:

bool sp_check_name(LEX_STRING *ident)
{
  if (!ident || !ident->str || !ident->str[0] ||
      ident->str[ident->length-1] == ' ')
  {
    my_error(ER_SP_WRONG_NAME, MYF(0), ident->str);
    return true;
  }
..
}

It seems that if ident=0 it will be null pointer dereference.

GitHub link: https://github.com/mysql/mysql-server/blob/5.7/sql/sp.cc#L2605

The possible defect was found by AppChecker static analyzer.

How to repeat:
Nothing to repeat, it's just a possible weekness in the code.
[27 Nov 2015 18:05] Sinisa Milivojevic
Are you referring to this statement:

my_error(ER_SP_WRONG_NAME, MYF(0), ident->str);

where both `ident` or / and `ident->str may be NULL ???

Please, reply ....
[27 Nov 2015 18:48] Павел Гусев
I mean, 
if ident is NULL, whole expression  (!ident || !ident->str || !ident->str0 ||
ident->str[ident->length-1] == ' ')   is true, because (!ident) is true,
so this code is executed:
my_error(ER_SP_WRONG_NAME, MYF(0), ident->str);
but ident is NULL.

I guess, it should be
if (!ident ) 
{
    my_error(ER_SP_WRONG_NAME, MYF(0));
    return true;
}

if (!ident->str || !ident->str[0] || ident->str[ident->length-1] == ' ')
{
    my_error(ER_SP_WRONG_NAME, MYF(0), ident->str);
    return true;
}
[30 Nov 2015 14:37] Sinisa Milivojevic
Pavel,

Thank you for your report. I do not think that your patch is good enough. I would vote for the following patch:

if (!ident || !ident->str ) 
{
   my_error(ER_SP_WRONG_NAME, MYF(0));
   return true;
}

if (!ident->str[0] || ident->str[ident->length-1] == '
')
{
   my_error(ER_SP_WRONG_NAME, MYF(0), ident->str);
   return true;
}

Simply, ident->str could be NULL !!!!
[26 Apr 2016 14:19] Paul Dubois
Posted by developer:
 
Noted in 5.5.50, 5.6.31, 5.7.13 changelogs.

A null pointer dereference of a parser structure could occur during
stored procedure name validation.