Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

readLengthEncodedString should limit the capacity on returned byte slice. #765

Closed
renthraysk opened this issue Mar 5, 2018 · 4 comments · Fixed by #766
Closed

readLengthEncodedString should limit the capacity on returned byte slice. #765

renthraysk opened this issue Mar 5, 2018 · 4 comments · Fixed by #766
Assignees
@methane
Labels
bug
Milestone
v1.4.0

Comments

@renthraysk
Copy link

If the return byte slice is scanned into a sql.RawBytes, seems like an append() could overwrite other values.

mysql/utils.go

Lines 529 to 543 in 02eb68a

func readLengthEncodedString(b []byte) ([]byte, bool, int, error) {
// Get length
num, isNull, n := readLengthEncodedInteger(b)
if num < 1 {
return b[n:n], isNull, n, nil
}
n += int(num)
// Check data length
if len(b) >= n {
return b[n-int(num) : n], false, n, nil
}
return nil, false, n, io.EOF
}

@methane
Copy link
Member

methane commented Mar 5, 2018

You're right. There is one more considerable pitfall: should driver allocate&copy []byte?
Otherwise, []byte references receive buffer. Reading next row may overwrite previous data.

@methane
Copy link
Member

methane commented Mar 5, 2018

I'm digging database/sql code. Some interesting points:

https://github.com/golang/go/blob/master/src/database/sql/sql.go?utf8=%E2%9C%93#L2965-L2977

https://github.com/golang/go/blob/29fcd57a9f4b345bf155f04c0f5b4ccf7a61401e/src/database/sql/convert.go#L247-L258

It does defensive copy. So if driver does copy, there are two allocation&copy.

@renthraysk Could you give me reproducible example for issue you reported?
I tried but I can't since Go did defensive copy. Which version of Go do you use?

@renthraysk
Copy link
Author

renthraysk commented Mar 5, 2018
edited
Loading

Using go1.10, this fails for me... b becomes "FUBAR"

func TestOverwrite(t *testing.T) {
    db, err := sql.Open("mysql", "user:password@tcp(127.0.0.1:3306)/world_x")
    if err != nil {
        t.Fatalf("open failed: %s", err)
    }
    defer db.Close()

    var (
        a sql.RawBytes
        b sql.RawBytes
    )

    const A = "AAAAA"
    const B = "BBBBB"

    rows, err := db.Query("SELECT ?, ?", A, B)
    if err != nil {
        t.Fatalf("query failed: %s", err)
    }

    for rows.Next() {
        if err := rows.Scan(&a, &b); err != nil {
            t.Fatalf("scan failed: %s", err)
        }

        a = append(a, " FUBAR"...)

        if !bytes.Equal(b, []byte(B)) {
            t.Fatalf("Value of b overwritten expected %q, got %q", B, b)
        }
    }
    rows.Close()
}

@methane
Copy link
Member

methane commented Mar 5, 2018

You're right. sql.RawBytes document says:

RawBytes is a byte slice that holds a reference to memory owned by the database itself. After a Scan into a RawBytes, the slice is only valid until the next call to Next, Scan, or Close.

Go doesn't defensive copy for []byte -> RawBytes conversion.

@methane methane mentioned this issue Mar 5, 2018
Merged
5 tasks
@julienschmidt julienschmidt added this to the v1.4.0 milestone Mar 8, 2018
methane added a commit that referenced this issue Mar 8, 2018
@methane
Fix readLengthEncodedString() returned []byte had wrong capacity (#766)
1a676ac 
fixes #765
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@methane methane

Labels
bug
Projects
None yet
Milestone
v1.4.0
Development

Successfully merging a pull request may close this issue.

Fix returned []byte had wrong capacity. methane/mysql
3 participants
@methane @julienschmidt @renthraysk