Bug #21056907: CONTENTS OF NOT REQUESTED CHAR/VARCHAR

Sreeharsha Ramanavarapu · Sreeharsha Ramanavarapu · commit 55146e0e56d0 · 2015-07-13T08:03:12.000+05:30
COLUMN ARE REVEALED

Issue:
-----
When a hexadecimal representation of a string literal is
passed as a parameter to the insert function, additional
information is displayed by the SELECT statement.


SOLUTION:
---------
This happens because while creating the hexadecimal
character, the "Alloced_length" is set to the string
length, but the actual allocation does not happen. This
will result in the same string being used for multiple
rows, and the new string will be appended to the old one.

The solution is to check whether a string is actually
allocated, if not make sure that this is done.

Also, when a string is supplied from a variable,
String-&gt;realloc will result in truncation if 'to' and
'from' overlap. This needs to be handled by forcing an
allocation on the heap.

Functions like lcase/encode/decode may return substrings
that are already allocated on the heap. concat/concat_ws
can have similar problems where temporary results are
over-written. Here uses_buffer_owned_by() can be used
to check if the input string is already allocated on the
heap. If yes, a temporary variable is used to store the
substring.

This fix is a backport of Bug#11765149, Bug#20315088 and
Bug#20554017.
diff --git a/client/sql_string.cc b/client/sql_string.cc
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -59,12 +59,19 @@ bool String::real_alloc(uint32 length)
 ** (for C functions)
 */
 
-bool String::realloc(uint32 alloc_length)
+bool String::realloc(uint32 alloc_length, bool force_on_heap)
 {
   uint32 len=ALIGN_SIZE(alloc_length+1);
   DBUG_ASSERT(len > alloc_length);
   if (len <= alloc_length)
     return TRUE;                                 /* Overflow */
+
+  if (force_on_heap && !alloced)
+  {
+    /* Bytes will be allocated on the heap.*/
+    Alloced_length= 0;
+  }
+
   if (Alloced_length < len)
   {
     char *new_ptr;
@@ -690,14 +697,14 @@ int stringcmp(const String *s,const String *t)
 
 String *copy_if_not_alloced(String *to,String *from,uint32 from_length)
 {
-  if (from->Alloced_length >= from_length)
+  if (from->alloced && from->Alloced_length >= from_length)
     return from;
   if ((from->alloced && (from->Alloced_length != 0)) || !to || from == to)
   {
-    (void) from->realloc(from_length);
+    (void) from->realloc(from_length, true);
     return from;
   }
-  if (to->realloc(from_length))
+  if (to->realloc(from_length, true))
     return from;				// Actually an error
   if ((to->str_length=min(from->str_length,from_length)))
     memcpy(to->Ptr,from->Ptr,to->str_length);
diff --git a/client/sql_string.h b/client/sql_string.h
@@ -1,7 +1,7 @@
 #ifndef CLIENT_SQL_STRING_INCLUDED
 #define CLIENT_SQL_STRING_INCLUDED
 
-/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -197,7 +197,7 @@ class String
     return real_alloc(arg_length);
   }
   bool real_alloc(uint32 arg_length);			// Empties old string
-  bool realloc(uint32 arg_length);
+  bool realloc(uint32 arg_length, bool force_on_heap= false);
 
   // Shrink the buffer, but only if it is allocated on the heap.
   inline void shrink(uint32 arg_length)
diff --git a/mysql-test/r/ctype_utf8.result b/mysql-test/r/ctype_utf8.result
@@ -113,7 +113,7 @@ hex(a)	STRCMP(a,'a')	STRCMP(a,'a ')
 DROP TABLE t1;
 select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
 insert('txs',2,1,'hi')	insert('is ',4,0,'a')	insert('txxxxt',2,4,'es')
-this	is a	test
+this	is 	test
 select insert("aa",100,1,"b"),insert("aa",1,3,"b");
 insert("aa",100,1,"b")	insert("aa",1,3,"b")
 aa	b
@@ -5141,7 +5141,8 @@ CREATE TABLE t1 (a INT);
 INSERT INTO t1 VALUES (0), (0), (1), (0), (0);
 SELECT COUNT(*) FROM t1, t1 t2 
 GROUP BY INSERT('', t2.a, t1.a, (@@global.max_binlog_size));
-ERROR 23000: Duplicate entry '107374182410737418241' for key 'group_key'
+COUNT(*)
+25
 DROP TABLE t1;
 #
 # Bug#11764503 (Bug#57341) Query in EXPLAIN EXTENDED shows wrong characters
diff --git a/mysql-test/r/ctype_utf8mb4.result b/mysql-test/r/ctype_utf8mb4.result
@@ -116,7 +116,7 @@ hex(a)	STRCMP(a,'a')	STRCMP(a,'a ')
 DROP TABLE t1;
 select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
 insert('txs',2,1,'hi')	insert('is ',4,0,'a')	insert('txxxxt',2,4,'es')
-this	is a	test
+this	is 	test
 select insert("aa",100,1,"b"),insert("aa",1,3,"b");
 insert("aa",100,1,"b")	insert("aa",1,3,"b")
 aa	b
diff --git a/mysql-test/r/ctype_utf8mb4_heap.result b/mysql-test/r/ctype_utf8mb4_heap.result
@@ -116,7 +116,7 @@ hex(a)	STRCMP(a,'a')	STRCMP(a,'a ')
 DROP TABLE t1;
 select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
 insert('txs',2,1,'hi')	insert('is ',4,0,'a')	insert('txxxxt',2,4,'es')
-this	is a	test
+this	is 	test
 select insert("aa",100,1,"b"),insert("aa",1,3,"b");
 insert("aa",100,1,"b")	insert("aa",1,3,"b")
 aa	b
diff --git a/mysql-test/r/ctype_utf8mb4_innodb.result b/mysql-test/r/ctype_utf8mb4_innodb.result
@@ -116,7 +116,7 @@ hex(a)	STRCMP(a,'a')	STRCMP(a,'a ')
 DROP TABLE t1;
 select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
 insert('txs',2,1,'hi')	insert('is ',4,0,'a')	insert('txxxxt',2,4,'es')
-this	is a	test
+this	is 	test
 select insert("aa",100,1,"b"),insert("aa",1,3,"b");
 insert("aa",100,1,"b")	insert("aa",1,3,"b")
 aa	b
diff --git a/mysql-test/r/ctype_utf8mb4_myisam.result b/mysql-test/r/ctype_utf8mb4_myisam.result
@@ -116,7 +116,7 @@ hex(a)	STRCMP(a,'a')	STRCMP(a,'a ')
 DROP TABLE t1;
 select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
 insert('txs',2,1,'hi')	insert('is ',4,0,'a')	insert('txxxxt',2,4,'es')
-this	is a	test
+this	is 	test
 select insert("aa",100,1,"b"),insert("aa",1,3,"b");
 insert("aa",100,1,"b")	insert("aa",1,3,"b")
 aa	b
diff --git a/mysql-test/r/func_str.result b/mysql-test/r/func_str.result
@@ -203,7 +203,7 @@ CONCAT('"',CONCAT_WS('";"',repeat('a',60),repeat('b',60),repeat('c',60),repeat('
 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";"cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc";"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
 select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
 insert('txs',2,1,'hi')	insert('is ',4,0,'a')	insert('txxxxt',2,4,'es')
-this	is a	test
+this	is 	test
 select replace('aaaa','a','b'),replace('aaaa','aa','b'),replace('aaaa','a','bb'),replace('aaaa','','b'),replace('bbbb','a','c');
 replace('aaaa','a','b')	replace('aaaa','aa','b')	replace('aaaa','a','bb')	replace('aaaa','','b')	replace('bbbb','a','c')
 bbbb	bb	bbbbbbbb	aaaa	bbbb
@@ -2336,7 +2336,7 @@ INSERT('abc', 3, 3, '1234')
 ab1234
 SELECT INSERT('abc', 4, 3, '1234');
 INSERT('abc', 4, 3, '1234')
-abc1234
+abc
 SELECT INSERT('abc', 5, 3, '1234');
 INSERT('abc', 5, 3, '1234')
 abc
@@ -2623,7 +2623,7 @@ CREATE TABLE t1 ( a TEXT );
 SELECT 'aaaaaaaaaaaaaa' INTO OUTFILE 'MYSQLTEST_VARDIR/tmp/bug58165.txt';;
 SELECT insert( substring_index( 'a', 'a', 'b' ), 1, 0, 'x' );
 insert( substring_index( 'a', 'a', 'b' ), 1, 0, 'x' )
-x
+
 Warnings:
 Warning	1292	Truncated incorrect INTEGER value: 'b'
 LOAD DATA INFILE 'MYSQLTEST_VARDIR/tmp/bug58165.txt' INTO TABLE t1;;
@@ -4500,5 +4500,19 @@ a
 DROP TABLE t1;
 SET NAMES latin1;
 #
+# Bug #21056907: CONTENTS OF NOT REQUESTED CHAR/VARCHAR COLUMN ARE
+#                REVEALED
+CREATE TABLE t1 (id INT, d TEXT);
+INSERT INTO t1 VALUES (1, 'this is a secret'), (2, 'public data');
+SELECT id, insert(':', 1, 0, d) FROM t1;
+id	insert(':', 1, 0, d)
+1	this is a secret:
+2	public data:
+SELECT id, insert(0x3a, 1, 0, d) FROM t1;
+id	insert(0x3a, 1, 0, d)
+1	this is a secret:
+2	public data:
+DROP TABLE t1;
+#
 # End of 5.6 tests
 #
diff --git a/mysql-test/r/func_str_debug.result b/mysql-test/r/func_str_debug.result
@@ -0,0 +1,8 @@
+# Bug#20554017 CONCAT MAY INCORRECTLY COPY OVERLAPPING STRINGS
+SET @old_debug= @@session.debug;
+SET session debug='d,force_fake_uuid';
+do concat('111','11111111111111111111111111',
+substring_index(uuid(),0,1.111111e+308));
+do concat_ws(',','111','11111111111111111111111111',
+substring_index(uuid(),0,1.111111e+308));
+SET session debug= @old_debug;
diff --git a/mysql-test/r/func_str_no_ps.result b/mysql-test/r/func_str_no_ps.result
@@ -0,0 +1,24 @@
+#
+# Bug#20315088 LCASE/LTRIM, SOURCE AND DESTINATION OVERLAP IN MEMCPY
+#
+do lcase(ltrim(from_unixtime(0,' %T ')));
+do _cp852 "" <= lcase(trim(leading 1 from 12222)) not between '1' and '2';
+do decode(substring(sha1('1'),'11'),25);
+do encode(mid(sysdate(),"5",1),'11');
+do upper(substring(1.111111111111111111 from '2n'));
+Warnings:
+Warning	1292	Truncated incorrect INTEGER value: '2n'
+Warning	1292	Truncated incorrect INTEGER value: '2n'
+do nullif(1,'-' between lcase(right(11111111," 7,]" ))and '1');
+Warnings:
+Warning	1292	Truncated incorrect INTEGER value: ' 7,]'
+Warning	1292	Truncated incorrect INTEGER value: ' 7,]'
+do upper(right(198039009115594390000000000000000000000.000000,35));
+do concat('111','11111111111111111111111111',
+substring_index(uuid(),0,1.111111e+308));
+do replace(ltrim(from_unixtime(0,' %T ')), '0', '1');
+do insert(ltrim(from_unixtime(0,' %T ')), 2, 1, 'hi');
+set @old_collation_connection=@@collation_connection;
+set collation_connection="utf8_general_ci";
+do replace(ltrim(from_unixtime(0,' %T ')), '0', '1');
+set collation_connection=@old_collation_connection;
diff --git a/mysql-test/t/ctype_utf8.test b/mysql-test/t/ctype_utf8.test
@@ -1588,7 +1588,6 @@ SET NAMES utf8;
 SET NAMES utf8;
 CREATE TABLE t1 (a INT);
 INSERT INTO t1 VALUES (0), (0), (1), (0), (0);
---error ER_DUP_ENTRY
 SELECT COUNT(*) FROM t1, t1 t2 
 GROUP BY INSERT('', t2.a, t1.a, (@@global.max_binlog_size));
 DROP TABLE t1;
diff --git a/mysql-test/t/func_str.test b/mysql-test/t/func_str.test
@@ -1723,6 +1723,16 @@ SELECT * FROM t1 WHERE a=to_base64('a');
 DROP TABLE t1;
 SET NAMES latin1;
 
+--echo #
+--echo # Bug #21056907: CONTENTS OF NOT REQUESTED CHAR/VARCHAR COLUMN ARE
+--echo #                REVEALED
+
+CREATE TABLE t1 (id INT, d TEXT);
+INSERT INTO t1 VALUES (1, 'this is a secret'), (2, 'public data');
+SELECT id, insert(':', 1, 0, d) FROM t1;
+SELECT id, insert(0x3a, 1, 0, d) FROM t1;
+DROP TABLE t1;
+
 --echo #
 --echo # End of 5.6 tests
 --echo #
diff --git a/mysql-test/t/func_str_debug.test b/mysql-test/t/func_str_debug.test
@@ -0,0 +1,14 @@
+--source include/have_debug_sync.inc
+
+--echo # Bug#20554017 CONCAT MAY INCORRECTLY COPY OVERLAPPING STRINGS
+
+SET @old_debug= @@session.debug;
+SET session debug='d,force_fake_uuid';
+
+do concat('111','11111111111111111111111111',
+          substring_index(uuid(),0,1.111111e+308));
+
+do concat_ws(',','111','11111111111111111111111111',
+             substring_index(uuid(),0,1.111111e+308));
+
+SET session debug= @old_debug;
diff --git a/mysql-test/t/func_str_no_ps.test b/mysql-test/t/func_str_no_ps.test
@@ -0,0 +1,26 @@
+# Some of the queries give different set of warnings with --ps-protocol
+if (`SELECT $PS_PROTOCOL + $CURSOR_PROTOCOL > 0`)
+{
+   --skip Need normal protocol
+}
+
+--echo #
+--echo # Bug#20315088 LCASE/LTRIM, SOURCE AND DESTINATION OVERLAP IN MEMCPY
+--echo #
+
+do lcase(ltrim(from_unixtime(0,' %T ')));
+do _cp852 "" <= lcase(trim(leading 1 from 12222)) not between '1' and '2';
+do decode(substring(sha1('1'),'11'),25);
+do encode(mid(sysdate(),"5",1),'11');
+do upper(substring(1.111111111111111111 from '2n'));
+do nullif(1,'-' between lcase(right(11111111," 7,]" ))and '1');
+do upper(right(198039009115594390000000000000000000000.000000,35));
+do concat('111','11111111111111111111111111',
+          substring_index(uuid(),0,1.111111e+308));
+do replace(ltrim(from_unixtime(0,' %T ')), '0', '1');
+do insert(ltrim(from_unixtime(0,' %T ')), 2, 1, 'hi');
+
+set @old_collation_connection=@@collation_connection;
+set collation_connection="utf8_general_ci";
+do replace(ltrim(from_unixtime(0,' %T ')), '0', '1');
+set collation_connection=@old_collation_connection;
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
diff --git a/sql/item_strfunc.h b/sql/item_strfunc.h
diff --git a/sql/sql_string.cc b/sql/sql_string.cc
diff --git a/sql/sql_string.h b/sql/sql_string.h
