Bug #91754 Inserting 16MiB BLOB shifts it by four bytes when prepared
Submitted: 22 Jul 2018 4:40 Modified: 23 Jul 2018 21:03
Reporter: Bradley Grainger (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:Connector / NET Severity:S2 (Serious)
Version:8.0.11 OS:Microsoft Windows (10.0.17134.167)
Assigned to: CPU Architecture:Any (x64)

[22 Jul 2018 4:40] Bradley Grainger
Description:
If MySqlCommand.Prepare() is called for an INSERT statement with a byte[] MySqlParameter that is 16MiB (16,777,216 bytes) or longer, then the BLOB that is inserted is shifted by four bytes: the first four bytes are dropped and the last four bytes are filled with zeroes.

How to repeat:
Run this C# code:

// NOTE: MUST have IgnorePrepare=false in connection string
using (var connection = new MySqlConnection("...;IgnorePrepare=false"))
{
	connection.Open();
	using (var command = new MySqlCommand(@"
DROP TABLE IF EXISTS test_blob;
CREATE TABLE test_blob(data LONGBLOB NOT NULL);
", connection))
		command.ExecuteNonQuery();

	// BLOB must be at least 16MiB; create unique data at the beginning
	var data = new byte[16777216];
	var random = new Random(1);
	random.NextBytes(data);
	for (int i = 0; i < 16; i++)
		data[i] = (byte) i;

	using (var command = new MySqlCommand(@"INSERT INTO test_blob VALUES(@data);", connection))
	{
		command.Parameters.AddWithValue("@data", data);
		
		// *** this causes the bug ***
		command.Prepare();

		command.ExecuteNonQuery();
	}

	// check the inserted data
	using (var command = new MySqlCommand(@"SELECT data FROM test_blob;", connection))
	{
		var result = (byte[]) command.ExecuteScalar();

		// data is [ 0, 1, 2, 3, 4, ... 13, 221, 197, 90, 177, 17, 244, 84 ]
		// result is [ 4, 5, 6, 7, 8, ... 177, 17, 244, 84, 0, 0, 0, 0 ]
	}
}
[23 Jul 2018 6:45] Chiranjeevi Battula
Hello Bradley Grainger,

Thank you for the bug report and test case.
Verified this behavior on Visual Studio 2017 (C#.Net) and Connector/NET 8.0.11 version.

Thanks,
Chiranjeevi.
[23 Jul 2018 6:46] Chiranjeevi Battula
Screenshot

Attachment: Bug_91754.PNG (image/png, text), 60.80 KiB.

[23 Jul 2018 21:03] Bradley Grainger
Interestingly, your screenshot shows that 'result' has a length of 16777212, i.e., it has been truncated by four bytes. 

I'm not seeing that on my system; I see a length of 16777216 bytes with four zero bytes at the end. (It's still a bug either way.)