Bug #29723340: MYSQL SERVER CRASH AFTER SQL QUERY WITH DATA ?AST

Description: ============ MySQL server ends abruptly when a SELECT query with WHERE clause having a predicate with a numeric value in the format of (scientific) E-notation is executed. ANALYSIS: ========= my_strntoull10_8bit is invoked to convert user provided string to unsigned longlong integer value. The 'exponent' variable is used to store the value of exponent part of the user provided literal. But the data type of 'exponent' variable is of int, whereas the exponent part of the user provided literal is greater than INT_MAX. Hence it results into garbage value into 'exponent' variable and then it results the segmentation fault, when we access array d10 using this garbage value. SOLUTION: ========= Change the data type variables used for storing the value of exponent to longlong. Also check the value of exponent so that value greater than LLONG_MAX is not processed further. This is a partial backport of the patch for Bug#22824408 FIX MORE ERRORS REPORTED BY UBSAN - FOUR and Bug#28505423 UBSAN: SIGNED INTEGER OVERFLOW IN MY_STRNTOULL10RND_8BIT Change-Id: I773d048496b37d921b3504b1ec61b0a31f24ca77
mysql · Jun 25, 2019 · 52d9daf · 52d9daf
1 parent 98cfe1e
commit 52d9daf
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/strings/ctype-simple.c b/strings/ctype-simple.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1517,7 +1517,7 @@ my_strntoull10rnd_8bit(const CHARSET_INFO *cs MY_ATTRIBUTE((unused)),
     str++;
     if (str < end)
     {
-      int negative_exp, exponent;
+      longlong negative_exp, exponent;
       if ((negative_exp= (*str == '-')) || *str=='+')
       {
         if (++str == end)
@@ -1527,7 +1527,10 @@ my_strntoull10rnd_8bit(const CHARSET_INFO *cs MY_ATTRIBUTE((unused)),
            str < end && (ch= (uchar) (*str - '0')) < 10;
            str++)
       {
-        exponent= exponent * 10 + ch;
+        if (exponent <= (LLONG_MAX - ch) / 10)
+         exponent= exponent * 10 + ch;
+        else
+         goto ret_too_big;
       }
       shift+= negative_exp ? -exponent : exponent;
     }