← Back to team overview

maria-developers team mailing list archive

Re: [Commits] bde705f: MDEV-7050: MySQL#74603 - Assertion `comma_length > 0' failed in mysql_prepare_create_table

 

Hi, Jan!

On Dec 02, Jan Lindström wrote:
> revision-id: bde705fdaec49ab495eafcd18c609970a2566cb7 (mariadb-5.5.46-10-gbde705f)
> parent(s): 13ad179c96ee8c8c4043806b8575c851e3676f0d
> committer: Jan Lindström
> timestamp: 2015-12-02 17:53:28 +0200
> message:
> 
> MDEV-7050: MySQL#74603 - Assertion `comma_length > 0' failed in mysql_prepare_create_table
> 
> Too short buffer was used for ENUM comma buffer.
> 
> ---
>  mysql-test/r/create.result | 20 ++++++++++++++++++++
>  mysql-test/t/create.test   | 21 +++++++++++++++++++++
>  sql/sql_table.cc           |  2 +-
>  3 files changed, 42 insertions(+), 1 deletion(-)
> 
> diff --git a/mysql-test/r/create.result b/mysql-test/r/create.result
> index 8dd3cc8..2da3460 100644
> --- a/mysql-test/r/create.result
> +++ b/mysql-test/r/create.result
> @@ -2477,3 +2477,23 @@ t1	CREATE TABLE `t1` (
>    `c` char(32) AS (convert(cast(n as char), char)) PERSISTENT
>  ) ENGINE=MyISAM DEFAULT CHARSET=latin1
>  drop table t1;
> +DROP DATABASE test;
> +CREATE DATABASE test;
> +USE test;
> +SET character_set_filesystem=filename;
> +SET @session_start_value=@@character_set_filesystem;
> +SET @@session.collation_server=@session_start_value;
> +create table t0(a ENUM('',''));
> +Warnings:
> +Note	1291	Column 'a' has duplicated value '' in ENUM
> +DROP DATABASE test;
> +CREATE DATABASE test;
> +USE test;
> +create table t0(a ENUM('',''));
> +Warnings:
> +Note	1291	Column 'a' has duplicated value '' in ENUM
> +DROP TABLE t0;
> +SET @@session.collation_server = latin1_swedish_ci;
> +DROP DATABASE test;
> +CREATE DATABASE test;
> +USE test;

You could do with a simpler test case. This one worked for me:

  set @@session.collation_server=filename;
  create table t1(a enum('',''));
  drop table t1;
  set @@session.collation_server=default;

> diff --git a/sql/sql_table.cc b/sql/sql_table.cc
> index 6e589e2..6ce46ad 100644
> --- a/sql/sql_table.cc
> +++ b/sql/sql_table.cc
> @@ -2986,7 +2986,7 @@ mysql_prepare_create_table(THD *thd, HA_CREATE_INFO *create_info,
>                                                 sql_field->interval_list);
>          List_iterator<String> int_it(sql_field->interval_list);
>          String conv, *tmp;
> -        char comma_buf[4]; /* 4 bytes for utf32 */
> +        char comma_buf[8]; /* 4*2 bytes for utf32 */

incorrect comment, must be

           char comma_buf[5]; /* 5 bytes for 'filename' charset */

and please, add an assert:

           DBUG_ASSERT(sizeof(comma_buf) >= cs->mbmaxlen);

>          int comma_length= cs->cset->wc_mb(cs, ',', (uchar*) comma_buf,
>                                            (uchar*) comma_buf + 
>                                            sizeof(comma_buf));

There's another bug, while 5 and the assert might not be working for
you. I'll attach the patch with the fix. Feel free to push it,
it must be pushed before your bugfix. Or wait for me to, as you
like. Just tell me what you choose.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx
-- 
Vote for my Percona Live 2016 talks:
https://www.percona.com/live/data-performance-conference-2016/sessions/mariadb-connectors-fast-and-smart-new-protocol-optimizations#community-voting
https://www.percona.com/live/data-performance-conference-2016/sessions/mariadb-101-security-validation-authentication-encryption#community-voting
commit b05008a
Author: Sergei Golubchik <serg@xxxxxxxxxxx>
Date:   Sun Dec 6 11:32:01 2015 +0100

    correct length check in my_wc_mb_filename()

diff --git a/mysql-test/r/ctype_filename.result b/mysql-test/r/ctype_filename.result
index acc32c7..ac8df47 100644
--- a/mysql-test/r/ctype_filename.result
+++ b/mysql-test/r/ctype_filename.result
@@ -11,3 +11,6 @@ create table com1 (a int);
 drop table com1;
 create table `clock$` (a int);
 drop table `clock$`;
+select convert(convert(',' using filename) using binary);
+convert(convert(',' using filename) using binary)
+@002c
diff --git a/mysql-test/t/ctype_filename.test b/mysql-test/t/ctype_filename.test
index 436ccfc..4c501a8 100644
--- a/mysql-test/t/ctype_filename.test
+++ b/mysql-test/t/ctype_filename.test
@@ -19,3 +19,6 @@ drop table com1;
 
 create table `clock$` (a int);
 drop table `clock$`;
+
+select convert(convert(',' using filename) using binary);
+
diff --git a/strings/ctype-utf8.c b/strings/ctype-utf8.c
index edcac27..2dd7f5e 100644
--- a/strings/ctype-utf8.c
+++ b/strings/ctype-utf8.c
@@ -4585,7 +4585,7 @@ my_wc_mb_filename(CHARSET_INFO *cs __attribute__((unused)),
   }
 
   /* Non letter */
-  if (s + 5 > e)
+  if (s + 4 > e)
     return MY_CS_TOOSMALL5;
 
   *s++= hex[(wc >> 12) & 15];