MDEV-34226 On startup: UBSAN: applying zero offset to null pointer in…

… my_copy_fix_mb from strings/ctype-mb.c and other locations nullptr+0 is an UB (undefined behavior). - Fixing my_string_metadata_get_mb() to handle {nullptr,0} without UB. - Fixing THD::copy_with_error() to disallow {nullptr,0} by DBUG_ASSERT(). - Fixing parse_client_handshake_packet() to call THD::copy_with_error() with an empty string {"",0} instead of NULL string {nullptr,0}.
MariaDB · May 27, 2024 · 4a158ec · 4a158ec
1 parent 7925326
commit 4a158ec
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 2 deletions.
diff --git a/mysql-test/main/connect-no-db.result b/mysql-test/main/connect-no-db.result
@@ -0,0 +1,9 @@
+#
+# MDEV-34226 On startup: UBSAN: applying zero offset to null pointer in my_copy_fix_mb from strings/ctype-mb.c and other locations
+#
+connect  con1,localhost,root,,"*NO-ONE*";
+SELECT database();
+database()
+NULL
+disconnect con1;
+connection default;
diff --git a/mysql-test/main/connect-no-db.test b/mysql-test/main/connect-no-db.test
@@ -0,0 +1,10 @@
+--echo #
+--echo # MDEV-34226 On startup: UBSAN: applying zero offset to null pointer in my_copy_fix_mb from strings/ctype-mb.c and other locations
+--echo #
+
+# Connect without a database
+
+connect (con1,localhost,root,,"*NO-ONE*");
+SELECT database();
+disconnect con1;
+connection default;
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -13799,9 +13799,11 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,
     Since 4.1 all database names are stored in utf8
     The cast is ok as copy_with_error will create a new area for db
   */
+  DBUG_ASSERT(db || !db_len);
+  // Don't pass db==nullptr to avoid UB nullptr+0 inside copy_with_error()
   if (unlikely(thd->copy_with_error(system_charset_info,
                                     (LEX_STRING*) &mpvio->db,
-                                    thd->charset(), db, db_len)))
+                                    thd->charset(), db ? db : "", db_len)))
     return packet_error;
 
   user_len= copy_and_convert(user_buff, sizeof(user_buff) - 1,

diff --git a/sql/sql_class.cc b/sql/sql_class.cc
@@ -2522,6 +2522,8 @@ bool THD::copy_with_error(CHARSET_INFO *dstcs, LEX_STRING *dst,
                           CHARSET_INFO *srccs,
                           const char *src, size_t src_length)
 {
+  // Don't allow NULL to avoid UB in the called functions: nullptr+0
+  DBUG_ASSERT(src);
   String_copier_with_error status;
   return copy_fix(dstcs, dst, srccs, src, src_length, &status) ||
          status.check_errors(srccs, src, src_length);

diff --git a/strings/ctype.c b/strings/ctype.c
@@ -867,7 +867,7 @@ static void
 my_string_metadata_get_mb(MY_STRING_METADATA *metadata,
                           CHARSET_INFO *cs, const char *str, ulong length)
 {
-  const char *strend= str + length;
+  const char *strend= str ? str + length : NULL; // Avoid UB nullptr+0
   for (my_string_metadata_init(metadata) ;
        str < strend;
        metadata->char_length++)