MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow

abarkov · abarkov · commit 21f56583bf20 · 2024-06-10T09:31:14.000+04:00
Adding the test for the length of lex-&gt;name into show_create_db().

Without this test writes beyond the end of db_name_buff were possible
upon a too long database name.
diff --git a/mysql-test/main/create.result b/mysql-test/main/create.result
@@ -2061,4 +2061,11 @@ DROP TABLE t1;
 #
 CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible);
 drop table t1;
+#
+# MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow
+#
+SET NAMES utf8mb3;
+SHOW CREATE DATABASE `#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭`;
+ERROR 42000: Incorrect database name '#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭...'
+SET NAMES DEFAULT;
 # End of 10.5 Test
diff --git a/mysql-test/main/create.test b/mysql-test/main/create.test
@@ -1935,4 +1935,13 @@ DROP TABLE t1;
 CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible);
 drop table t1;
 
+--echo #
+--echo # MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow
+--echo #
+
+SET NAMES utf8mb3;
+--error ER_WRONG_DB_NAME
+SHOW CREATE DATABASE `#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭`;
+SET NAMES DEFAULT;
+
 --echo # End of 10.5 Test
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
@@ -6637,6 +6637,23 @@ show_create_db(THD *thd, LEX *lex)
   DBUG_EXECUTE_IF("4x_server_emul",
                   my_error(ER_UNKNOWN_ERROR, MYF(0)); return 1;);
 
+#if MYSQL_VERSION_ID<=110301
+  /*
+    This piece of the code was added in 10.5 to fix MDEV-32376.
+    It should not get to 11.3 or higer, as MDEV-32376 was fixed
+    in a different way in 11.3.1 (see MDEV-31948).
+  */
+  if (lex->name.length > sizeof(db_name_buff) - 1)
+  {
+    my_error(ER_WRONG_DB_NAME, MYF(0),
+             ErrConvString(lex->name.str, lex->name.length,
+                           system_charset_info).ptr());
+    return 1;
+  }
+#else
+#error Remove this preprocessor-conditional code in 11.3.1+
+#endif
+
   db_name.str= db_name_buff;
   db_name.length= lex->name.length;
   strmov(db_name_buff, lex->name.str);
