Skip to content

Commit 93c4146

Browse files
author
Tor Didriksen
committed
Bug#16765410 FTS: STACK AROUND THE VARIABLE 'MYSTR' WAS CORRUPTED IN INNOBASE_STRNXFRM
my_strnxfrm_win1250ch could write into dest[destlen] i.e. write a byte to the past-the-end of dest.
1 parent 8bee47f commit 93c4146

3 files changed

Lines changed: 53 additions & 51 deletions

File tree

mysql-test/r/ctype_cp1250_ch.result

Lines changed: 48 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -300,55 +300,55 @@ hex(weight_string('abc' as char(5)))
300300
A4A5A6020202
301301
select hex(weight_string('abc', 1, 2, 0xC0));
302302
hex(weight_string('abc', 1, 2, 0xC0))
303-
A4A5
303+
A4
304304
select hex(weight_string('abc', 2, 2, 0xC0));
305305
hex(weight_string('abc', 2, 2, 0xC0))
306-
A4A5A6
306+
A4A5
307307
select hex(weight_string('abc', 3, 2, 0xC0));
308308
hex(weight_string('abc', 3, 2, 0xC0))
309-
A4A5A602
309+
A4A5A6
310310
select hex(weight_string('abc', 4, 2, 0xC0));
311311
hex(weight_string('abc', 4, 2, 0xC0))
312-
A4A5A60202
312+
A4A5A602
313313
select hex(weight_string('abc', 5, 2, 0xC0));
314314
hex(weight_string('abc', 5, 2, 0xC0))
315-
A4A5A6020202
315+
A4A5A60202
316316
select hex(weight_string('abc',25, 2, 0xC0));
317317
hex(weight_string('abc',25, 2, 0xC0))
318318
A4A5A602020200000000000000000000000000000000000000
319319
select hex(weight_string('abc', 1, 3, 0xC0));
320320
hex(weight_string('abc', 1, 3, 0xC0))
321-
A4A5
321+
A4
322322
select hex(weight_string('abc', 2, 3, 0xC0));
323323
hex(weight_string('abc', 2, 3, 0xC0))
324-
A4A5A6
324+
A4A5
325325
select hex(weight_string('abc', 3, 3, 0xC0));
326326
hex(weight_string('abc', 3, 3, 0xC0))
327-
A4A5A602
327+
A4A5A6
328328
select hex(weight_string('abc', 4, 3, 0xC0));
329329
hex(weight_string('abc', 4, 3, 0xC0))
330-
A4A5A60202
330+
A4A5A602
331331
select hex(weight_string('abc', 5, 3, 0xC0));
332332
hex(weight_string('abc', 5, 3, 0xC0))
333-
A4A5A6020202
333+
A4A5A60202
334334
select hex(weight_string('abc',25, 3, 0xC0));
335335
hex(weight_string('abc',25, 3, 0xC0))
336336
A4A5A602020200000000000000000000000000000000000000
337337
select hex(weight_string('abc', 1, 4, 0xC0));
338338
hex(weight_string('abc', 1, 4, 0xC0))
339-
A4A5
339+
A4
340340
select hex(weight_string('abc', 2, 4, 0xC0));
341341
hex(weight_string('abc', 2, 4, 0xC0))
342-
A4A5A6
342+
A4A5
343343
select hex(weight_string('abc', 3, 4, 0xC0));
344344
hex(weight_string('abc', 3, 4, 0xC0))
345-
A4A5A602
345+
A4A5A6
346346
select hex(weight_string('abc', 4, 4, 0xC0));
347347
hex(weight_string('abc', 4, 4, 0xC0))
348-
A4A5A60202
348+
A4A5A602
349349
select hex(weight_string('abc', 5, 4, 0xC0));
350350
hex(weight_string('abc', 5, 4, 0xC0))
351-
A4A5A6020202
351+
A4A5A60202
352352
select hex(weight_string('abc',25, 4, 0xC0));
353353
hex(weight_string('abc',25, 4, 0xC0))
354354
A4A5A602020200000000000000000000000000000000000000
@@ -372,55 +372,55 @@ hex(weight_string(cast(_latin1 0x808080 as char) as char(5)))
372372
818181232323
373373
select hex(weight_string(cast(_latin1 0x808080 as char), 1, 2, 0xC0));
374374
hex(weight_string(cast(_latin1 0x808080 as char), 1, 2, 0xC0))
375-
8181
375+
81
376376
select hex(weight_string(cast(_latin1 0x808080 as char), 2, 2, 0xC0));
377377
hex(weight_string(cast(_latin1 0x808080 as char), 2, 2, 0xC0))
378-
818181
378+
8181
379379
select hex(weight_string(cast(_latin1 0x808080 as char), 3, 2, 0xC0));
380380
hex(weight_string(cast(_latin1 0x808080 as char), 3, 2, 0xC0))
381-
81818123
381+
818181
382382
select hex(weight_string(cast(_latin1 0x808080 as char), 4, 2, 0xC0));
383383
hex(weight_string(cast(_latin1 0x808080 as char), 4, 2, 0xC0))
384-
8181812323
384+
81818123
385385
select hex(weight_string(cast(_latin1 0x808080 as char), 5, 2, 0xC0));
386386
hex(weight_string(cast(_latin1 0x808080 as char), 5, 2, 0xC0))
387-
818181232323
387+
8181812323
388388
select hex(weight_string(cast(_latin1 0x808080 as char),25, 2, 0xC0));
389389
hex(weight_string(cast(_latin1 0x808080 as char),25, 2, 0xC0))
390390
81818123232300000000000000000000000000000000000000
391391
select hex(weight_string(cast(_latin1 0x808080 as char), 1, 3, 0xC0));
392392
hex(weight_string(cast(_latin1 0x808080 as char), 1, 3, 0xC0))
393-
8181
393+
81
394394
select hex(weight_string(cast(_latin1 0x808080 as char), 2, 3, 0xC0));
395395
hex(weight_string(cast(_latin1 0x808080 as char), 2, 3, 0xC0))
396-
818181
396+
8181
397397
select hex(weight_string(cast(_latin1 0x808080 as char), 3, 3, 0xC0));
398398
hex(weight_string(cast(_latin1 0x808080 as char), 3, 3, 0xC0))
399-
81818123
399+
818181
400400
select hex(weight_string(cast(_latin1 0x808080 as char), 4, 3, 0xC0));
401401
hex(weight_string(cast(_latin1 0x808080 as char), 4, 3, 0xC0))
402-
8181812323
402+
81818123
403403
select hex(weight_string(cast(_latin1 0x808080 as char), 5, 3, 0xC0));
404404
hex(weight_string(cast(_latin1 0x808080 as char), 5, 3, 0xC0))
405-
818181232323
405+
8181812323
406406
select hex(weight_string(cast(_latin1 0x808080 as char),25, 3, 0xC0));
407407
hex(weight_string(cast(_latin1 0x808080 as char),25, 3, 0xC0))
408408
81818123232300000000000000000000000000000000000000
409409
select hex(weight_string(cast(_latin1 0x808080 as char), 1, 4, 0xC0));
410410
hex(weight_string(cast(_latin1 0x808080 as char), 1, 4, 0xC0))
411-
8181
411+
81
412412
select hex(weight_string(cast(_latin1 0x808080 as char), 2, 4, 0xC0));
413413
hex(weight_string(cast(_latin1 0x808080 as char), 2, 4, 0xC0))
414-
818181
414+
8181
415415
select hex(weight_string(cast(_latin1 0x808080 as char), 3, 4, 0xC0));
416416
hex(weight_string(cast(_latin1 0x808080 as char), 3, 4, 0xC0))
417-
81818123
417+
818181
418418
select hex(weight_string(cast(_latin1 0x808080 as char), 4, 4, 0xC0));
419419
hex(weight_string(cast(_latin1 0x808080 as char), 4, 4, 0xC0))
420-
8181812323
420+
81818123
421421
select hex(weight_string(cast(_latin1 0x808080 as char), 5, 4, 0xC0));
422422
hex(weight_string(cast(_latin1 0x808080 as char), 5, 4, 0xC0))
423-
818181232323
423+
8181812323
424424
select hex(weight_string(cast(_latin1 0x808080 as char),25, 4, 0xC0));
425425
hex(weight_string(cast(_latin1 0x808080 as char),25, 4, 0xC0))
426426
81818123232300000000000000000000000000000000000000
@@ -483,13 +483,13 @@ hex(weight_string(cast(_latin1 0xDF6368 as char) as char(4)))
483483
BBAD0103
484484
select hex(weight_string(cast(_latin1 0x6368DF as char), 1, 2, 0xC0));
485485
hex(weight_string(cast(_latin1 0x6368DF as char), 1, 2, 0xC0))
486-
ADBB
486+
AD
487487
select hex(weight_string(cast(_latin1 0x6368DF as char), 2, 2, 0xC0));
488488
hex(weight_string(cast(_latin1 0x6368DF as char), 2, 2, 0xC0))
489-
ADBB03
489+
ADBB
490490
select hex(weight_string(cast(_latin1 0x6368DF as char), 3, 2, 0xC0));
491491
hex(weight_string(cast(_latin1 0x6368DF as char), 3, 2, 0xC0))
492-
ADBB0301
492+
ADBB03
493493
select hex(weight_string(cast(_latin1 0x6368DF as char), 4, 2, 0xC0));
494494
hex(weight_string(cast(_latin1 0x6368DF as char), 4, 2, 0xC0))
495495
ADBB0301
@@ -498,13 +498,13 @@ hex(weight_string(cast(_latin1 0x6368DF as char),25, 2, 0xC0))
498498
ADBB0301000000000000000000000000000000000000000000
499499
select hex(weight_string(cast(_latin1 0x6368DF as char), 1, 3, 0xC0));
500500
hex(weight_string(cast(_latin1 0x6368DF as char), 1, 3, 0xC0))
501-
ADBB
501+
AD
502502
select hex(weight_string(cast(_latin1 0x6368DF as char), 2, 3, 0xC0));
503503
hex(weight_string(cast(_latin1 0x6368DF as char), 2, 3, 0xC0))
504-
ADBB03
504+
ADBB
505505
select hex(weight_string(cast(_latin1 0x6368DF as char), 3, 3, 0xC0));
506506
hex(weight_string(cast(_latin1 0x6368DF as char), 3, 3, 0xC0))
507-
ADBB0301
507+
ADBB03
508508
select hex(weight_string(cast(_latin1 0x6368DF as char), 4, 3, 0xC0));
509509
hex(weight_string(cast(_latin1 0x6368DF as char), 4, 3, 0xC0))
510510
ADBB0301
@@ -513,13 +513,13 @@ hex(weight_string(cast(_latin1 0x6368DF as char),25, 3, 0xC0))
513513
ADBB0301000000000000000000000000000000000000000000
514514
select hex(weight_string(cast(_latin1 0x6368DF as char), 1, 4, 0xC0));
515515
hex(weight_string(cast(_latin1 0x6368DF as char), 1, 4, 0xC0))
516-
ADBB
516+
AD
517517
select hex(weight_string(cast(_latin1 0x6368DF as char), 2, 4, 0xC0));
518518
hex(weight_string(cast(_latin1 0x6368DF as char), 2, 4, 0xC0))
519-
ADBB03
519+
ADBB
520520
select hex(weight_string(cast(_latin1 0x6368DF as char), 3, 4, 0xC0));
521521
hex(weight_string(cast(_latin1 0x6368DF as char), 3, 4, 0xC0))
522-
ADBB0301
522+
ADBB03
523523
select hex(weight_string(cast(_latin1 0x6368DF as char), 4, 4, 0xC0));
524524
hex(weight_string(cast(_latin1 0x6368DF as char), 4, 4, 0xC0))
525525
ADBB0301
@@ -528,13 +528,13 @@ hex(weight_string(cast(_latin1 0x6368DF as char),25, 4, 0xC0))
528528
ADBB0301000000000000000000000000000000000000000000
529529
select hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 2,0xC0));
530530
hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 2,0xC0))
531-
BBAD
531+
BB
532532
select hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 2,0xC0));
533533
hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 2,0xC0))
534-
BBAD01
534+
BBAD
535535
select hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 2,0xC0));
536536
hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 2,0xC0))
537-
BBAD0103
537+
BBAD01
538538
select hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 2,0xC0));
539539
hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 2,0xC0))
540540
BBAD0103
@@ -543,13 +543,13 @@ hex(weight_string(cast(_latin1 0xDF6368 as char),25, 2,0xC0))
543543
BBAD0103000000000000000000000000000000000000000000
544544
select hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 3,0xC0));
545545
hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 3,0xC0))
546-
BBAD
546+
BB
547547
select hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 3,0xC0));
548548
hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 3,0xC0))
549-
BBAD01
549+
BBAD
550550
select hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 3,0xC0));
551551
hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 3,0xC0))
552-
BBAD0103
552+
BBAD01
553553
select hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 3,0xC0));
554554
hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 3,0xC0))
555555
BBAD0103
@@ -558,13 +558,13 @@ hex(weight_string(cast(_latin1 0xDF6368 as char),25, 3,0xC0))
558558
BBAD0103000000000000000000000000000000000000000000
559559
select hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 4,0xC0));
560560
hex(weight_string(cast(_latin1 0xDF6368 as char), 1, 4,0xC0))
561-
BBAD
561+
BB
562562
select hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 4,0xC0));
563563
hex(weight_string(cast(_latin1 0xDF6368 as char), 2, 4,0xC0))
564-
BBAD01
564+
BBAD
565565
select hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 4,0xC0));
566566
hex(weight_string(cast(_latin1 0xDF6368 as char), 3, 4,0xC0))
567-
BBAD0103
567+
BBAD01
568568
select hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 4,0xC0));
569569
hex(weight_string(cast(_latin1 0xDF6368 as char), 4, 4,0xC0))
570570
BBAD0103

sql/item_strfunc.cc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3439,6 +3439,8 @@ String *Item_func_weight_string::val_str(String *str)
34393439
nweights ? nweights : tmp_length,
34403440
(const uchar *) res->ptr(), res->length(),
34413441
flags);
3442+
DBUG_ASSERT(frm_length <= tmp_length);
3443+
34423444
tmp_value.length(frm_length);
34433445
null_value= 0;
34443446
return &tmp_value;

strings/ctype-win1250ch.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
1+
/* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
22
33
This program is free software; you can redistribute it and/or modify
44
it under the terms of the GNU General Public License as published by
@@ -494,12 +494,12 @@ my_strnxfrm_win1250ch(const CHARSET_INFO *cs __attribute__((unused)),
494494
if (!(flags & 0x0F)) /* All levels by default */
495495
flags|= 0x0F;
496496

497-
for (;;)
497+
for (; totlen < len;)
498498
{
499499
NEXT_CMP_VALUE(src, p, pass, value, (int)srclen);
500500
if (!value)
501501
break;
502-
if (totlen <= len && ((1 << pass) & flags))
502+
if (((1 << pass) & flags))
503503
dest[totlen++] = value;
504504
}
505505
if ((flags & MY_STRXFRM_PAD_TO_MAXLEN) && len > totlen)

0 commit comments

Comments
 (0)