MDEV-26139 Spider crashes with segmentation fault (signal 11) on CREA…

…TE TABLE when COMMENT does not contain embedded double quotes The root cause of the bug MDEV-26139 is the lack of NULL checking on the variable `dq`. Comments on if (dq && (!sq || sq > dq)) {...} else {...}: * The if block corresponds to the case where parameters are quoted by double quotes. In that case, a single quote doesn't appear at all or only appears in the middle of double quotes. * The else block corresponds to the case where parameters are quoted by single quotes. In that case, a double quote doesn't appear at all or only appears in the middle of single quotes. * If the program reaches the if-else statement, `sq || dq` holds. Thus, the negation of `dq && (!sq || sq > dq)` is equivalent to `sq && (!dq || sq <= dq)`.
MariaDB · Jul 14, 2021 · e3814a7 · e3814a7
1 parent 78735dc
commit e3814a7
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/storage/spider/mysql-test/spider/r/basic_sql.result b/storage/spider/mysql-test/spider/r/basic_sql.result
@@ -721,6 +721,12 @@ connection master_1;
 create table t2345678911234567892123456789312345678941234567895123234234(id int) ENGINE=SPIDER
 COMMENT='host "192.168.21.1", user "spider", password "password", database "test32738123123123"';
 drop table t2345678911234567892123456789312345678941234567895123234234;
+#
+# MDEV-26139 Spider crashes with segmentation fault (signal 11) on CREATE TABLE when COMMENT does not contain embedded double quotes
+#
+create table mdev_26139 (id int) ENGINE=SPIDER
+COMMENT="host '192.168.21.1', user 'spider', password 'password', database 'test'";
+drop table mdev_26139;
 
 deinit
 connection master_1;

diff --git a/storage/spider/mysql-test/spider/t/basic_sql.test b/storage/spider/mysql-test/spider/t/basic_sql.test
@@ -2682,6 +2682,13 @@ create table t2345678911234567892123456789312345678941234567895123234234(id int)
     COMMENT='host "192.168.21.1", user "spider", password "password", database "test32738123123123"';
 drop table t2345678911234567892123456789312345678941234567895123234234;
 
+--echo #
+--echo # MDEV-26139 Spider crashes with segmentation fault (signal 11) on CREATE TABLE when COMMENT does not contain embedded double quotes
+--echo #
+create table mdev_26139 (id int) ENGINE=SPIDER
+    COMMENT="host '192.168.21.1', user 'spider', password 'password', database 'test'";
+drop table mdev_26139;
+
 --echo
 --echo deinit
 --disable_warnings

diff --git a/storage/spider/spd_table.h b/storage/spider/spd_table.h
@@ -189,7 +189,8 @@ typedef struct st_spider_param_string_parse
     {
       DBUG_RETURN(print_param_error());
     }
-    else if (!sq || sq > dq)
+
+    if (dq && (!sq || sq > dq))
     {
       while (1)
       {
@@ -227,7 +228,7 @@ typedef struct st_spider_param_string_parse
         }
       }
     }
-    else
+    else /* sq && (!dq || sq <= dq) */
     {
       while (1)
       {