Bug#14494275 HEAP CORRUPTION IN DECIMAL2BIN WITH LOW MAX_SORT_LENGTH

Tor Didriksen · Tor Didriksen · commit 2e244455fb84 · 2012-08-30T08:24:57.000+02:00
The problem was that if the user sets a very small max_sort_length
this value was honored by the function sortlength() but
later ignored by make_sortkey().
This can result in buffer overrun.

Solution one: always stay within the bounds of max_sort_length
as specified by the user.
This is what we have always done, even if the documentation says
it is only done for strings/blobs.

Sorting results may be a bit strange, since we use only the first few bytes
of int/float/decimal/time.
diff --git a/sql/filesort.cc b/sql/filesort.cc
@@ -55,7 +55,6 @@ static ha_rows find_all_keys(Sort_param *param,SQL_SELECT *select,
                              ha_rows *found_rows);
 static int write_keys(Sort_param *param, Filesort_info *fs_info,
                       uint count, IO_CACHE *buffer_file, IO_CACHE *tempfile);
-static void make_sortkey(Sort_param *param,uchar *to, uchar *ref_pos);
 static void register_used_fields(Sort_param *param);
 static int merge_index(Sort_param *param,uchar *sort_buffer,
                        BUFFPEK *buffpek,
@@ -64,8 +63,6 @@ static int merge_index(Sort_param *param,uchar *sort_buffer,
 static bool save_index(Sort_param *param, uint count,
                        Filesort_info *table_sort);
 static uint suffix_length(ulong string_length);
-static uint sortlength(THD *thd, SORT_FIELD *sortorder, uint s_length,
-		       bool *multi_byte_charset);
 static SORT_ADDON_FIELD *get_addon_fields(ulong max_length_for_sort_data,
                                           Field **ptabfield,
                                           uint sortlength, uint *plength);
@@ -932,22 +929,35 @@ static inline void store_length(uchar *to, uint length, uint pack_length)
 }
 
 
+#ifdef WORDS_BIGENDIAN
+const bool Is_big_endian= true;
+#else
+const bool Is_big_endian= false;
+#endif
+void copy_native_longlong(uchar *to, int to_length,
+                          longlong val, bool is_unsigned)
+{
+  copy_integer<Is_big_endian>(to, to_length,
+                              static_cast<uchar*>(static_cast<void*>(&val)),
+                              sizeof(longlong),
+                              is_unsigned);
+}
+
+
 /** Make a sort-key from record. */
 
-static void make_sortkey(register Sort_param *param,
-                         register uchar *to, uchar *ref_pos)
+void make_sortkey(Sort_param *param, uchar *to, uchar *ref_pos)
 {
-  reg3 Field *field;
-  reg1 SORT_FIELD *sort_field;
-  reg5 uint length;
+  SORT_FIELD *sort_field;
 
-  for (sort_field=param->local_sortorder ;
+  for (sort_field= param->local_sortorder ;
        sort_field != param->end ;
        sort_field++)
   {
-    bool maybe_null=0;
-    if ((field=sort_field->field))
-    {						// Field
+    bool maybe_null= false;
+    if (sort_field->field)
+    {
+      Field *field= sort_field->field;
       if (field->maybe_null())
       {
 	if (field->is_null())
@@ -1001,7 +1011,7 @@ static void make_sortkey(register Sort_param *param,
           }
           break;
         }
-        length= res->length();
+        uint length= res->length();
         sort_field_length= sort_field->length - sort_field->suffix_length;
         diff=(int) (sort_field_length - length);
         if (diff < 0)
@@ -1062,27 +1072,8 @@ static void make_sortkey(register Sort_param *param,
               break;
             }
           }
-#if SIZEOF_LONG_LONG > 4
-	  to[7]= (uchar) value;
-	  to[6]= (uchar) (value >> 8);
-	  to[5]= (uchar) (value >> 16);
-	  to[4]= (uchar) (value >> 24);
-	  to[3]= (uchar) (value >> 32);
-	  to[2]= (uchar) (value >> 40);
-	  to[1]= (uchar) (value >> 48);
-          if (item->unsigned_flag)                    /* Fix sign */
-            to[0]= (uchar) (value >> 56);
-          else
-            to[0]= (uchar) (value >> 56) ^ 128;	/* Reverse signbit */
-#else
-	  to[3]= (uchar) value;
-	  to[2]= (uchar) (value >> 8);
-	  to[1]= (uchar) (value >> 16);
-          if (item->unsigned_flag)                    /* Fix sign */
-            to[0]= (uchar) (value >> 24);
-          else
-            to[0]= (uchar) (value >> 24) ^ 128;	/* Reverse signbit */
-#endif
+          copy_native_longlong(to, sort_field->length,
+                               value, item->unsigned_flag);
 	  break;
 	}
       case DECIMAL_RESULT:
@@ -1098,9 +1089,20 @@ static void make_sortkey(register Sort_param *param,
             }
             *to++=1;
           }
-          my_decimal2binary(E_DEC_FATAL_ERROR, dec_val, to,
-                            item->max_length - (item->decimals ? 1:0),
-                            item->decimals);
+          if (sort_field->length < DECIMAL_MAX_FIELD_SIZE)
+          {
+            uchar buf[DECIMAL_MAX_FIELD_SIZE];
+            my_decimal2binary(E_DEC_FATAL_ERROR, dec_val, buf,
+                              item->max_length - (item->decimals ? 1:0),
+                              item->decimals);
+            memcpy(to, buf, sort_field->length);
+          }
+          else
+          {
+            my_decimal2binary(E_DEC_FATAL_ERROR, dec_val, to,
+                              item->max_length - (item->decimals ? 1:0),
+                              item->decimals);
+          }
          break;
         }
       case REAL_RESULT:
@@ -1116,7 +1118,16 @@ static void make_sortkey(register Sort_param *param,
             }
 	    *to++=1;
           }
-	  change_double_for_sort(value,(uchar*) to);
+          if (sort_field->length < sizeof(double))
+          {
+            uchar buf[sizeof(double)];
+            change_double_for_sort(value, buf);
+            memcpy(to, buf, sort_field->length);
+          }
+          else
+          {
+            change_double_for_sort(value, (uchar*) to);
+          }
 	  break;
 	}
       case ROW_RESULT:
@@ -1130,7 +1141,7 @@ static void make_sortkey(register Sort_param *param,
     {							/* Revers key */
       if (maybe_null)
         to[-1]= ~to[-1];
-      length=sort_field->length;
+      uint length= sort_field->length;
       while (length--)
       {
 	*to = (uchar) (~ *to);
@@ -1154,7 +1165,7 @@ static void make_sortkey(register Sort_param *param,
     DBUG_ASSERT(addonf != 0);
     memset(nulls, 0, addonf->offset);
     to+= addonf->offset;
-    for ( ; (field= addonf->field) ; addonf++)
+    for (Field* field; (field= addonf->field) ; addonf++)
     {
       if (addonf->null_bit && field->is_null())
       {
@@ -1791,15 +1802,14 @@ static uint suffix_length(ulong string_length)
     Total length of sort buffer in bytes
 */
 
-static uint
+uint
 sortlength(THD *thd, SORT_FIELD *sortorder, uint s_length,
            bool *multi_byte_charset)
 {
-  reg2 uint length;
+  uint total_length= 0;
   const CHARSET_INFO *cs;
-  *multi_byte_charset= 0;
+  *multi_byte_charset= false;
 
-  length=0;
   for (; s_length-- ; sortorder++)
   {
     sortorder->need_strxnfrm= 0;
@@ -1816,7 +1826,7 @@ sortlength(THD *thd, SORT_FIELD *sortorder, uint s_length,
         sortorder->length= cs->coll->strnxfrmlen(cs, sortorder->length);
       }
       if (sortorder->field->maybe_null())
-	length++;				// Place for NULL marker
+        total_length++;                       // Place for NULL marker
     }
     else
     {
@@ -1825,7 +1835,7 @@ sortlength(THD *thd, SORT_FIELD *sortorder, uint s_length,
         sortorder->result_type= INT_RESULT;
       switch (sortorder->result_type) {
       case STRING_RESULT:
-	sortorder->length=sortorder->item->max_length;
+	sortorder->length= sortorder->item->max_length;
         set_if_smaller(sortorder->length, thd->variables.max_sort_length);
 	if (use_strnxfrm((cs=sortorder->item->collation.collation)))
 	{ 
@@ -1848,6 +1858,7 @@ sortlength(THD *thd, SORT_FIELD *sortorder, uint s_length,
 #endif
 	break;
       case DECIMAL_RESULT:
+        // NOTE: max length here is 65 bytes, we might need to truncate!
         sortorder->length=
           my_decimal_get_binary_size(sortorder->item->max_length - 
                                      (sortorder->item->decimals ? 1 : 0),
@@ -1863,14 +1874,14 @@ sortlength(THD *thd, SORT_FIELD *sortorder, uint s_length,
 	break;
       }
       if (sortorder->item->maybe_null)
-	length++;				// Place for NULL marker
+        total_length++;                       // Place for NULL marker
     }
     set_if_smaller(sortorder->length, thd->variables.max_sort_length);
-    length+=sortorder->length;
+    total_length+= sortorder->length;
   }
-  sortorder->field= (Field*) 0;			// end marker
-  DBUG_PRINT("info",("sort_length: %d",length));
-  return length;
+  sortorder->field= NULL;                       // end marker
+  DBUG_PRINT("info",("sort_length: %u", total_length));
+  return total_length;
 }
 
 
diff --git a/sql/filesort.h b/sql/filesort.h
@@ -68,4 +68,11 @@ ha_rows filesort(THD *thd, TABLE *table, Filesort *fsort, bool sort_positions,
 void filesort_free_buffers(TABLE *table, bool full);
 void change_double_for_sort(double nr,uchar *to);
 
+class Sort_param;
+/// Declared here so we can unit test it.
+void make_sortkey(Sort_param *param, uchar *to, uchar *ref_pos);
+/// Declared here so we can unit test it.
+uint sortlength(THD *thd, SORT_FIELD *sortorder, uint s_length,
+                bool *multi_byte_charset);
+
 #endif /* FILESORT_INCLUDED */
diff --git a/unittest/gunit/CMakeLists.txt b/unittest/gunit/CMakeLists.txt
@@ -267,6 +267,7 @@ SET(SERVER_TESTS
   item
   item_func_now_local
   join_tab_sort
+  make_sortkey
   my_decimal
   opt_range
   opt_trace
diff --git a/unittest/gunit/make_sortkey-t.cc b/unittest/gunit/make_sortkey-t.cc
