Skip to content

Commit 55146e0

Browse files
author
Sreeharsha Ramanavarapu
committed
Bug #21056907: CONTENTS OF NOT REQUESTED CHAR/VARCHAR
COLUMN ARE REVEALED Issue: ----- When a hexadecimal representation of a string literal is passed as a parameter to the insert function, additional information is displayed by the SELECT statement. SOLUTION: --------- This happens because while creating the hexadecimal character, the "Alloced_length" is set to the string length, but the actual allocation does not happen. This will result in the same string being used for multiple rows, and the new string will be appended to the old one. The solution is to check whether a string is actually allocated, if not make sure that this is done. Also, when a string is supplied from a variable, String->realloc will result in truncation if 'to' and 'from' overlap. This needs to be handled by forcing an allocation on the heap. Functions like lcase/encode/decode may return substrings that are already allocated on the heap. concat/concat_ws can have similar problems where temporary results are over-written. Here uses_buffer_owned_by() can be used to check if the input string is already allocated on the heap. If yes, a temporary variable is used to store the substring. This fix is a backport of Bug#11765149, Bug#20315088 and Bug#20554017.
1 parent 12c4519 commit 55146e0

18 files changed

Lines changed: 267 additions & 46 deletions

client/sql_string.cc

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
2+
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
33
44
This program is free software; you can redistribute it and/or modify
55
it under the terms of the GNU General Public License as published by
@@ -59,12 +59,19 @@ bool String::real_alloc(uint32 length)
5959
** (for C functions)
6060
*/
6161

62-
bool String::realloc(uint32 alloc_length)
62+
bool String::realloc(uint32 alloc_length, bool force_on_heap)
6363
{
6464
uint32 len=ALIGN_SIZE(alloc_length+1);
6565
DBUG_ASSERT(len > alloc_length);
6666
if (len <= alloc_length)
6767
return TRUE; /* Overflow */
68+
69+
if (force_on_heap && !alloced)
70+
{
71+
/* Bytes will be allocated on the heap.*/
72+
Alloced_length= 0;
73+
}
74+
6875
if (Alloced_length < len)
6976
{
7077
char *new_ptr;
@@ -690,14 +697,14 @@ int stringcmp(const String *s,const String *t)
690697

691698
String *copy_if_not_alloced(String *to,String *from,uint32 from_length)
692699
{
693-
if (from->Alloced_length >= from_length)
700+
if (from->alloced && from->Alloced_length >= from_length)
694701
return from;
695702
if ((from->alloced && (from->Alloced_length != 0)) || !to || from == to)
696703
{
697-
(void) from->realloc(from_length);
704+
(void) from->realloc(from_length, true);
698705
return from;
699706
}
700-
if (to->realloc(from_length))
707+
if (to->realloc(from_length, true))
701708
return from; // Actually an error
702709
if ((to->str_length=min(from->str_length,from_length)))
703710
memcpy(to->Ptr,from->Ptr,to->str_length);

client/sql_string.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
#ifndef CLIENT_SQL_STRING_INCLUDED
22
#define CLIENT_SQL_STRING_INCLUDED
33

4-
/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
4+
/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
55
66
This program is free software; you can redistribute it and/or modify
77
it under the terms of the GNU General Public License as published by
@@ -197,7 +197,7 @@ class String
197197
return real_alloc(arg_length);
198198
}
199199
bool real_alloc(uint32 arg_length); // Empties old string
200-
bool realloc(uint32 arg_length);
200+
bool realloc(uint32 arg_length, bool force_on_heap= false);
201201

202202
// Shrink the buffer, but only if it is allocated on the heap.
203203
inline void shrink(uint32 arg_length)

mysql-test/r/ctype_utf8.result

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@ hex(a) STRCMP(a,'a') STRCMP(a,'a ')
113113
DROP TABLE t1;
114114
select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
115115
insert('txs',2,1,'hi') insert('is ',4,0,'a') insert('txxxxt',2,4,'es')
116-
this is a test
116+
this is test
117117
select insert("aa",100,1,"b"),insert("aa",1,3,"b");
118118
insert("aa",100,1,"b") insert("aa",1,3,"b")
119119
aa b
@@ -5141,7 +5141,8 @@ CREATE TABLE t1 (a INT);
51415141
INSERT INTO t1 VALUES (0), (0), (1), (0), (0);
51425142
SELECT COUNT(*) FROM t1, t1 t2
51435143
GROUP BY INSERT('', t2.a, t1.a, (@@global.max_binlog_size));
5144-
ERROR 23000: Duplicate entry '107374182410737418241' for key 'group_key'
5144+
COUNT(*)
5145+
25
51455146
DROP TABLE t1;
51465147
#
51475148
# Bug#11764503 (Bug#57341) Query in EXPLAIN EXTENDED shows wrong characters

mysql-test/r/ctype_utf8mb4.result

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ hex(a) STRCMP(a,'a') STRCMP(a,'a ')
116116
DROP TABLE t1;
117117
select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
118118
insert('txs',2,1,'hi') insert('is ',4,0,'a') insert('txxxxt',2,4,'es')
119-
this is a test
119+
this is test
120120
select insert("aa",100,1,"b"),insert("aa",1,3,"b");
121121
insert("aa",100,1,"b") insert("aa",1,3,"b")
122122
aa b

mysql-test/r/ctype_utf8mb4_heap.result

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ hex(a) STRCMP(a,'a') STRCMP(a,'a ')
116116
DROP TABLE t1;
117117
select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
118118
insert('txs',2,1,'hi') insert('is ',4,0,'a') insert('txxxxt',2,4,'es')
119-
this is a test
119+
this is test
120120
select insert("aa",100,1,"b"),insert("aa",1,3,"b");
121121
insert("aa",100,1,"b") insert("aa",1,3,"b")
122122
aa b

mysql-test/r/ctype_utf8mb4_innodb.result

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ hex(a) STRCMP(a,'a') STRCMP(a,'a ')
116116
DROP TABLE t1;
117117
select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
118118
insert('txs',2,1,'hi') insert('is ',4,0,'a') insert('txxxxt',2,4,'es')
119-
this is a test
119+
this is test
120120
select insert("aa",100,1,"b"),insert("aa",1,3,"b");
121121
insert("aa",100,1,"b") insert("aa",1,3,"b")
122122
aa b

mysql-test/r/ctype_utf8mb4_myisam.result

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ hex(a) STRCMP(a,'a') STRCMP(a,'a ')
116116
DROP TABLE t1;
117117
select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
118118
insert('txs',2,1,'hi') insert('is ',4,0,'a') insert('txxxxt',2,4,'es')
119-
this is a test
119+
this is test
120120
select insert("aa",100,1,"b"),insert("aa",1,3,"b");
121121
insert("aa",100,1,"b") insert("aa",1,3,"b")
122122
aa b

mysql-test/r/func_str.result

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -203,7 +203,7 @@ CONCAT('"',CONCAT_WS('";"',repeat('a',60),repeat('b',60),repeat('c',60),repeat('
203203
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";"cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc";"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
204204
select insert('txs',2,1,'hi'),insert('is ',4,0,'a'),insert('txxxxt',2,4,'es');
205205
insert('txs',2,1,'hi') insert('is ',4,0,'a') insert('txxxxt',2,4,'es')
206-
this is a test
206+
this is test
207207
select replace('aaaa','a','b'),replace('aaaa','aa','b'),replace('aaaa','a','bb'),replace('aaaa','','b'),replace('bbbb','a','c');
208208
replace('aaaa','a','b') replace('aaaa','aa','b') replace('aaaa','a','bb') replace('aaaa','','b') replace('bbbb','a','c')
209209
bbbb bb bbbbbbbb aaaa bbbb
@@ -2336,7 +2336,7 @@ INSERT('abc', 3, 3, '1234')
23362336
ab1234
23372337
SELECT INSERT('abc', 4, 3, '1234');
23382338
INSERT('abc', 4, 3, '1234')
2339-
abc1234
2339+
abc
23402340
SELECT INSERT('abc', 5, 3, '1234');
23412341
INSERT('abc', 5, 3, '1234')
23422342
abc
@@ -2623,7 +2623,7 @@ CREATE TABLE t1 ( a TEXT );
26232623
SELECT 'aaaaaaaaaaaaaa' INTO OUTFILE 'MYSQLTEST_VARDIR/tmp/bug58165.txt';;
26242624
SELECT insert( substring_index( 'a', 'a', 'b' ), 1, 0, 'x' );
26252625
insert( substring_index( 'a', 'a', 'b' ), 1, 0, 'x' )
2626-
x
2626+
26272627
Warnings:
26282628
Warning 1292 Truncated incorrect INTEGER value: 'b'
26292629
LOAD DATA INFILE 'MYSQLTEST_VARDIR/tmp/bug58165.txt' INTO TABLE t1;;
@@ -4500,5 +4500,19 @@ a
45004500
DROP TABLE t1;
45014501
SET NAMES latin1;
45024502
#
4503+
# Bug #21056907: CONTENTS OF NOT REQUESTED CHAR/VARCHAR COLUMN ARE
4504+
# REVEALED
4505+
CREATE TABLE t1 (id INT, d TEXT);
4506+
INSERT INTO t1 VALUES (1, 'this is a secret'), (2, 'public data');
4507+
SELECT id, insert(':', 1, 0, d) FROM t1;
4508+
id insert(':', 1, 0, d)
4509+
1 this is a secret:
4510+
2 public data:
4511+
SELECT id, insert(0x3a, 1, 0, d) FROM t1;
4512+
id insert(0x3a, 1, 0, d)
4513+
1 this is a secret:
4514+
2 public data:
4515+
DROP TABLE t1;
4516+
#
45034517
# End of 5.6 tests
45044518
#

mysql-test/r/func_str_debug.result

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
# Bug#20554017 CONCAT MAY INCORRECTLY COPY OVERLAPPING STRINGS
2+
SET @old_debug= @@session.debug;
3+
SET session debug='d,force_fake_uuid';
4+
do concat('111','11111111111111111111111111',
5+
substring_index(uuid(),0,1.111111e+308));
6+
do concat_ws(',','111','11111111111111111111111111',
7+
substring_index(uuid(),0,1.111111e+308));
8+
SET session debug= @old_debug;

mysql-test/r/func_str_no_ps.result

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
#
2+
# Bug#20315088 LCASE/LTRIM, SOURCE AND DESTINATION OVERLAP IN MEMCPY
3+
#
4+
do lcase(ltrim(from_unixtime(0,' %T ')));
5+
do _cp852 "" <= lcase(trim(leading 1 from 12222)) not between '1' and '2';
6+
do decode(substring(sha1('1'),'11'),25);
7+
do encode(mid(sysdate(),"5",1),'11');
8+
do upper(substring(1.111111111111111111 from '2n'));
9+
Warnings:
10+
Warning 1292 Truncated incorrect INTEGER value: '2n'
11+
Warning 1292 Truncated incorrect INTEGER value: '2n'
12+
do nullif(1,'-' between lcase(right(11111111," 7,]" ))and '1');
13+
Warnings:
14+
Warning 1292 Truncated incorrect INTEGER value: ' 7,]'
15+
Warning 1292 Truncated incorrect INTEGER value: ' 7,]'
16+
do upper(right(198039009115594390000000000000000000000.000000,35));
17+
do concat('111','11111111111111111111111111',
18+
substring_index(uuid(),0,1.111111e+308));
19+
do replace(ltrim(from_unixtime(0,' %T ')), '0', '1');
20+
do insert(ltrim(from_unixtime(0,' %T ')), 2, 1, 'hi');
21+
set @old_collation_connection=@@collation_connection;
22+
set collation_connection="utf8_general_ci";
23+
do replace(ltrim(from_unixtime(0,' %T ')), '0', '1');
24+
set collation_connection=@old_collation_connection;

0 commit comments

Comments
 (0)