Bug#16765410 FTS: STACK AROUND THE VARIABLE 'MYSTR' WAS CORRUPTED IN INNOBASE_STRNXFRM

Tor Didriksen · Tor Didriksen · commit 93c41460d021 · 2013-09-17T11:01:36.000+02:00
my_strnxfrm_win1250ch could write into dest[destlen]
i.e. write a byte to the past-the-end of dest.
diff --git a/mysql-test/r/ctype_cp1250_ch.result b/mysql-test/r/ctype_cp1250_ch.result
@@ -300,55 +300,55 @@ hex(weight_string('abc' as char(5)))
 A4A5A6020202
 select hex(weight_string('abc', 1, 2, 0xC0));
 hex(weight_string('abc', 1, 2, 0xC0))
-A4A5
+A4
 select hex(weight_string('abc', 2, 2, 0xC0));
 hex(weight_string('abc', 2, 2, 0xC0))
-A4A5A6
+A4A5
 select hex(weight_string('abc', 3, 2, 0xC0));
 hex(weight_string('abc', 3, 2, 0xC0))
-A4A5A602
+A4A5A6
 select hex(weight_string('abc', 4, 2, 0xC0));
 hex(weight_string('abc', 4, 2, 0xC0))
-A4A5A60202
+A4A5A602
 select hex(weight_string('abc', 5, 2, 0xC0));
 hex(weight_string('abc', 5, 2, 0xC0))
-A4A5A6020202
+A4A5A60202
 select hex(weight_string('abc',25, 2, 0xC0));
 hex(weight_string('abc',25, 2, 0xC0))
 A4A5A602020200000000000000000000000000000000000000
 select hex(weight_string('abc', 1, 3, 0xC0));
 hex(weight_string('abc', 1, 3, 0xC0))
-A4A5
+A4
 select hex(weight_string('abc', 2, 3, 0xC0));
 hex(weight_string('abc', 2, 3, 0xC0))
-A4A5A6
+A4A5
 select hex(weight_string('abc', 3, 3, 0xC0));
 hex(weight_string('abc', 3, 3, 0xC0))
-A4A5A602
+A4A5A6
 select hex(weight_string('abc', 4, 3, 0xC0));
 hex(weight_string('abc', 4, 3, 0xC0))
-A4A5A60202
+A4A5A602
 select hex(weight_string('abc', 5, 3, 0xC0));
 hex(weight_string('abc', 5, 3, 0xC0))
-A4A5A6020202
+A4A5A60202
 select hex(weight_string('abc',25, 3, 0xC0));
 hex(weight_string('abc',25, 3, 0xC0))
 A4A5A602020200000000000000000000000000000000000000
 select hex(weight_string('abc', 1, 4, 0xC0));
 hex(weight_string('abc', 1, 4, 0xC0))
-A4A5
+A4
 select hex(weight_string('abc', 2, 4, 0xC0));
 hex(weight_string('abc', 2, 4, 0xC0))
-A4A5A6
+A4A5
 select hex(weight_string('abc', 3, 4, 0xC0));
 hex(weight_string('abc', 3, 4, 0xC0))
-A4A5A602
+A4A5A6
 select hex(weight_string('abc', 4, 4, 0xC0));
 hex(weight_string('abc', 4, 4, 0xC0))
-A4A5A60202
+A4A5A602
 select hex(weight_string('abc', 5, 4, 0xC0));
 hex(weight_string('abc', 5, 4, 0xC0))
-A4A5A6020202
+A4A5A60202
 select hex(weight_string('abc',25, 4, 0xC0));
 hex(weight_string('abc',25, 4, 0xC0))
 A4A5A602020200000000000000000000000000000000000000
@@ -372,55 +372,55 @@ hex(weight_string(cast(_latin1 0x808080 as char) as char(5)))
 818181232323
 select hex(weight_string(cast(_latin1 0x808080 as char), 1, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 1, 2, 0xC0))
-8181
+81
 select hex(weight_string(cast(_latin1 0x808080 as char), 2, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 2, 2, 0xC0))
-818181
+8181
 select hex(weight_string(cast(_latin1 0x808080 as char), 3, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 3, 2, 0xC0))
-81818123
+818181
 select hex(weight_string(cast(_latin1 0x808080 as char), 4, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 4, 2, 0xC0))
-8181812323
+81818123
 select hex(weight_string(cast(_latin1 0x808080 as char), 5, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 5, 2, 0xC0))
-818181232323
+8181812323
 select hex(weight_string(cast(_latin1 0x808080 as char),25, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char),25, 2, 0xC0))
 81818123232300000000000000000000000000000000000000
 select hex(weight_string(cast(_latin1 0x808080 as char), 1, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 1, 3, 0xC0))
-8181
+81
 select hex(weight_string(cast(_latin1 0x808080 as char), 2, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 2, 3, 0xC0))
-818181
+8181
 select hex(weight_string(cast(_latin1 0x808080 as char), 3, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 3, 3, 0xC0))
-81818123
+818181
 select hex(weight_string(cast(_latin1 0x808080 as char), 4, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 4, 3, 0xC0))
-8181812323
+81818123
 select hex(weight_string(cast(_latin1 0x808080 as char), 5, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 5, 3, 0xC0))
-818181232323
+8181812323
 select hex(weight_string(cast(_latin1 0x808080 as char),25, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char),25, 3, 0xC0))
 81818123232300000000000000000000000000000000000000
 select hex(weight_string(cast(_latin1 0x808080 as char), 1, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 1, 4, 0xC0))
-8181
+81
 select hex(weight_string(cast(_latin1 0x808080 as char), 2, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 2, 4, 0xC0))
-818181
+8181
 select hex(weight_string(cast(_latin1 0x808080 as char), 3, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 3, 4, 0xC0))
-81818123
+818181
 select hex(weight_string(cast(_latin1 0x808080 as char), 4, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 4, 4, 0xC0))
-8181812323
+81818123
 select hex(weight_string(cast(_latin1 0x808080 as char), 5, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char), 5, 4, 0xC0))
-818181232323
+8181812323
 select hex(weight_string(cast(_latin1 0x808080 as char),25, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x808080 as char),25, 4, 0xC0))
 81818123232300000000000000000000000000000000000000
@@ -483,13 +483,13 @@ hex(weight_string(cast(_latin1 0xDF6368 as char) as char(4)))
 BBAD0103
 select hex(weight_string(cast(_latin1 0x6368DF as char), 1, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 1, 2, 0xC0))
-ADBB
+AD
 select hex(weight_string(cast(_latin1 0x6368DF as char), 2, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 2, 2, 0xC0))
-ADBB03
+ADBB
 select hex(weight_string(cast(_latin1 0x6368DF as char), 3, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 3, 2, 0xC0))
-ADBB0301
+ADBB03
 select hex(weight_string(cast(_latin1 0x6368DF as char), 4, 2, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 4, 2, 0xC0))
 ADBB0301
@@ -498,13 +498,13 @@ hex(weight_string(cast(_latin1 0x6368DF as char),25, 2, 0xC0))
 ADBB0301000000000000000000000000000000000000000000
 select hex(weight_string(cast(_latin1 0x6368DF as char), 1, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 1, 3, 0xC0))
-ADBB
+AD
 select hex(weight_string(cast(_latin1 0x6368DF as char), 2, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 2, 3, 0xC0))
-ADBB03
+ADBB
 select hex(weight_string(cast(_latin1 0x6368DF as char), 3, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 3, 3, 0xC0))
-ADBB0301
+ADBB03
 select hex(weight_string(cast(_latin1 0x6368DF as char), 4, 3, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 4, 3, 0xC0))
 ADBB0301
@@ -513,13 +513,13 @@ hex(weight_string(cast(_latin1 0x6368DF as char),25, 3, 0xC0))
 ADBB0301000000000000000000000000000000000000000000
 select hex(weight_string(cast(_latin1 0x6368DF as char), 1, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 1, 4, 0xC0))
-ADBB
+AD
 select hex(weight_string(cast(_latin1 0x6368DF as char), 2, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 2, 4, 0xC0))
-ADBB03
+ADBB
 select hex(weight_string(cast(_latin1 0x6368DF as char), 3, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 3, 4, 0xC0))
-ADBB0301
+ADBB03
 select hex(weight_string(cast(_latin1 0x6368DF as char), 4, 4, 0xC0));
 hex(weight_string(cast(_latin1 0x6368DF as char), 4, 4, 0xC0))
 ADBB0301
@@ -528,13 +528,13 @@ hex(weight_string(cast(_latin1 0x6368DF as char),25, 4, 0xC0))
 ADBB0301000000000000000000000000000000000000000000
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 2,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 2,0xC0))
-BBAD
+BB
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 2,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 2,0xC0))
-BBAD01
+BBAD
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 2,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 2,0xC0))
-BBAD0103
+BBAD01
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 2,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 2,0xC0))
 BBAD0103
@@ -543,13 +543,13 @@ hex(weight_string(cast(_latin1 0xDF6368 as char),25, 2,0xC0))
 BBAD0103000000000000000000000000000000000000000000
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 3,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 3,0xC0))
-BBAD
+BB
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 3,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 3,0xC0))
-BBAD01
+BBAD
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 3,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 3,0xC0))
-BBAD0103
+BBAD01
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 3,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 3,0xC0))
 BBAD0103
@@ -558,13 +558,13 @@ hex(weight_string(cast(_latin1 0xDF6368 as char),25, 3,0xC0))
 BBAD0103000000000000000000000000000000000000000000
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 4,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 4,0xC0))
-BBAD
+BB
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 4,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 4,0xC0))
-BBAD01
+BBAD
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 4,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 4,0xC0))
-BBAD0103
+BBAD01
 select hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 4,0xC0));
 hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 4,0xC0))
 BBAD0103
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
@@ -3439,6 +3439,8 @@ String *Item_func_weight_string::val_str(String *str)
                                    nweights ? nweights : tmp_length,
                                    (const uchar *) res->ptr(), res->length(),
                                    flags);
+  DBUG_ASSERT(frm_length <= tmp_length);
+
   tmp_value.length(frm_length);
   null_value= 0;
   return &tmp_value;
diff --git a/strings/ctype-win1250ch.c b/strings/ctype-win1250ch.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -494,12 +494,12 @@ my_strnxfrm_win1250ch(const CHARSET_INFO *cs  __attribute__((unused)),
   if (!(flags & 0x0F)) /* All levels by default */                              
     flags|= 0x0F;
 
-  for (;;)
+  for (; totlen < len;)
   {
     NEXT_CMP_VALUE(src, p, pass, value, (int)srclen);
     if (!value)
       break;
-    if (totlen <= len && ((1 << pass) & flags))
+    if (((1 << pass) & flags))
       dest[totlen++] = value;
   }
   if ((flags & MY_STRXFRM_PAD_TO_MAXLEN) && len > totlen)
