MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing

abarkov · abarkov · commit 059797ed4400 · 2021-10-29T12:37:29.000+04:00
strmake() puts one extra 0x00 byte at the end of the string.
The code in my_strnxfrm_tis620[_nopad] did not take this into
account, so in the reported scenario the 0x00 byte was put outside
of a stack variable, which made ASAN crash.

This problem is already fixed in in MySQL:

  commit 19bd66fe43c41f0bde5f36bc6b455a46693069fb
  Author: bin.x.su@oracle.com &lt;&gt;
  Date:   Fri Apr 4 11:35:27 2014 +0800

But the fix does not seem to be correct, as it breaks when finds a zero byte
in the source string.

Using memcpy() instead of strmake().

- Unlike strmake(), memcpy() it does not write beyond the destination
  size passed.
- Unlike the MySQL fix, memcpy() does not break on the first 0x00 byte found
  in the source string.
diff --git a/mysql-test/r/ctype_tis620.result b/mysql-test/r/ctype_tis620.result
@@ -4421,5 +4421,14 @@ DROP TABLE t1;
 #
 SET STORAGE_ENGINE=Default;
 #
+# MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing
+#
+SELECT HEX(WEIGHT_STRING(_tis620 'a\0b'));
+HEX(WEIGHT_STRING(_tis620 'a\0b'))
+610062
+SELECT HEX(WEIGHT_STRING(_tis620 'a\0b' COLLATE tis620_thai_nopad_ci));
+HEX(WEIGHT_STRING(_tis620 'a\0b' COLLATE tis620_thai_nopad_ci))
+610062
+#
 # End of 10.2 tests
 #
diff --git a/mysql-test/suite/innodb/r/innodb_ctype_tis620.result b/mysql-test/suite/innodb/r/innodb_ctype_tis620.result
@@ -0,0 +1,32 @@
+SET STORAGE_ENGINE=InnoDB;
+#
+# Start of 10.2 tests
+#
+#
+#  MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing Export
+#
+CREATE TABLE t1(c TEXT CHARACTER SET tis620);
+SHOW CREATE TABLE t1;
+Table	Create Table
+t1	CREATE TABLE `t1` (
+  `c` text CHARACTER SET tis620 DEFAULT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=latin1
+INSERT INTO t1 VALUES('100');
+ALTER TABLE t1 ADD FULLTEXT INDEX(c), ALGORITHM=INPLACE;
+Warnings:
+Warning	124	InnoDB rebuilding table to add column FTS_DOC_ID
+DROP TABLE t1;
+CREATE TABLE t1(c TEXT CHARACTER SET tis620 COLLATE tis620_thai_nopad_ci);
+SHOW CREATE TABLE t1;
+Table	Create Table
+t1	CREATE TABLE `t1` (
+  `c` text CHARACTER SET tis620 COLLATE tis620_thai_nopad_ci DEFAULT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=latin1
+INSERT INTO t1 VALUES('100');
+ALTER TABLE t1 ADD FULLTEXT INDEX(c), ALGORITHM=INPLACE;
+Warnings:
+Warning	124	InnoDB rebuilding table to add column FTS_DOC_ID
+DROP TABLE t1;
+#
+# End of 10.2 tests
+#
diff --git a/mysql-test/suite/innodb/t/innodb_ctype_tis620.test b/mysql-test/suite/innodb/t/innodb_ctype_tis620.test
@@ -0,0 +1,29 @@
+--source include/have_innodb.inc
+--source include/have_tis620.inc
+
+SET STORAGE_ENGINE=InnoDB;
+
+--echo #
+--echo # Start of 10.2 tests
+--echo #
+
+--echo #
+--echo #  MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing Export
+--echo #
+
+CREATE TABLE t1(c TEXT CHARACTER SET tis620);
+SHOW CREATE TABLE t1;
+INSERT INTO t1 VALUES('100');
+ALTER TABLE t1 ADD FULLTEXT INDEX(c), ALGORITHM=INPLACE;
+DROP TABLE t1;
+
+CREATE TABLE t1(c TEXT CHARACTER SET tis620 COLLATE tis620_thai_nopad_ci);
+SHOW CREATE TABLE t1;
+INSERT INTO t1 VALUES('100');
+ALTER TABLE t1 ADD FULLTEXT INDEX(c), ALGORITHM=INPLACE;
+DROP TABLE t1;
+
+
+--echo #
+--echo # End of 10.2 tests
+--echo #
diff --git a/mysql-test/t/ctype_tis620.test b/mysql-test/t/ctype_tis620.test
@@ -209,6 +209,13 @@ let $coll='tis620_nopad_bin';
 let $coll_pad='tis620_bin';
 --source include/ctype_pad_all_engines.inc
 
+--echo #
+--echo # MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing
+--echo #
+
+SELECT HEX(WEIGHT_STRING(_tis620 'a\0b'));
+SELECT HEX(WEIGHT_STRING(_tis620 'a\0b' COLLATE tis620_thai_nopad_ci));
+
 --echo #
 --echo # End of 10.2 tests
 --echo #
diff --git a/strings/ctype-tis620.c b/strings/ctype-tis620.c
@@ -605,8 +605,8 @@ my_strnxfrm_tis620(CHARSET_INFO *cs,
                    const uchar *src, size_t srclen, uint flags)
 {
   size_t len, dstlen0= dstlen;
-  len= (uint) (strmake((char*) dst, (char*) src, MY_MIN(dstlen, srclen)) -
-	               (char*) dst);
+  len= MY_MIN(dstlen, srclen);
+  memcpy(dst, src, len);
   len= thai2sortable(dst, len);
   set_if_smaller(dstlen, nweights);
   set_if_smaller(len, dstlen); 
@@ -628,8 +628,8 @@ my_strnxfrm_tis620_nopad(CHARSET_INFO *cs,
                          const uchar *src, size_t srclen, uint flags)
 {
   size_t len, dstlen0= dstlen;
-  len= (uint) (strmake((char*) dst, (char*) src, MY_MIN(dstlen, srclen)) -
-	               (char*) dst);
+  len= MY_MIN(dstlen, srclen);
+  memcpy(dst, src, len);
   len= thai2sortable(dst, len);
   set_if_smaller(dstlen, nweights);
   set_if_smaller(len, dstlen);

Original file line number	Diff line number	Diff line change
`@@ -4421,5 +4421,14 @@ DROP TABLE t1;`
`4421`	`4421`	`#`
`4422`	`4422`	`SET STORAGE_ENGINE=Default;`
`4423`	`4423`	`#`
	`4424`	`+# MDEV-24901 SIGSEGV in fts_get_table_name, SIGSEGV in ib_vector_size, SIGSEGV in row_merge_fts_doc_tokenize, stack smashing`
	`4425`	`+#`
	`4426`	`+SELECT HEX(WEIGHT_STRING(_tis620 'a\0b'));`
	`4427`	`+HEX(WEIGHT_STRING(_tis620 'a\0b'))`
	`4428`	`+610062`
	`4429`	`+SELECT HEX(WEIGHT_STRING(_tis620 'a\0b' COLLATE tis620_thai_nopad_ci));`
	`4430`	`+HEX(WEIGHT_STRING(_tis620 'a\0b' COLLATE tis620_thai_nopad_ci))`
	`4431`	`+610062`
	`4432`	`+#`
`4424`	`4433`	`# End of 10.2 tests`
`4425`	`4434`	`#`