Bug#27618273 BUFFER OVERFLOW IN USERVAR,USERNAME,HOSTNAME WITH BROKEN UTF8

Tor Didriksen · Tor Didriksen · commit dc0f623b2179 · 2025-01-30T13:30:18.000+01:00
The function check_column_name() is used multiple places to verify
user input. In order to do a proper job it needs the length of the
input string, rather than just a pointer to the first character.

Also fix documentation for the validate_string() function.

This is a manual backport of
   commit e12a5db2626bc9104f5536f1876d399e14f847f5

For check_column_name() we backport only the range check when calling
my_ismbchar(). In newer branches we also did a validate_string(),
but that introduced other/unwanted changes to some test results.

Extend suppressions in lsan.supp to work with newer perl versions.

Add CTORS taking a LEX_CSTRING for classes Simple_cstring and Name_string.
These are taken from
   commit 46fe1cb52d168bd76bcce11cdb69a6e4ab647f4b
       Bug#28787272: FIX -WCAST-QUAL COMPILATION WARNINGS [noclose]

Change-Id: I70bace14e55c701aec602b058e6ba42c18514cc7
diff --git a/include/sql_string.h b/include/sql_string.h
@@ -1,7 +1,7 @@
 #ifndef SQL_STRING_INCLUDED
 #define SQL_STRING_INCLUDED
 
-/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -79,6 +79,8 @@ class Simple_cstring
   {
     set(arg.str, arg.length);
   }
+  Simple_cstring(const LEX_CSTRING arg) { set(arg.str, arg.length); }
+
   void reset()
   {
     set(NULL, 0);
diff --git a/mysql-test/lsan.supp b/mysql-test/lsan.supp
@@ -1,4 +1,4 @@
-# Copyright (c) 2018, 2023, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0,
@@ -25,3 +25,9 @@
 leak:Perl_safesyscalloc
 leak:Perl_safesysmalloc
 leak:Perl_safesysrealloc
+leak:Perl_savesharedpv
+leak:Perl_Slab_Alloc
+leak:Perl_newUNOP_AUX
+leak:Perl_newSTATEOP
+leak:Perl_pmruntime
+leak:/lib64/libperl.so.*
diff --git a/sql-common/sql_string.cc b/sql-common/sql_string.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -1305,8 +1305,7 @@ size_t bin_to_hex_str(char *to, size_t to_len, char *from, size_t from_len)
                                 prefix for a character, i.e. the byte length
                                 of that invalid character is undefined.
 
-  @retval true if the whole input byte sequence is a valid character string.
-               The length_error output parameter is undefined.
+  @retval true if the input is invalid.
 
   @return
     if the whole input byte sequence is a valid character string
diff --git a/sql/item.h b/sql/item.h
@@ -1,7 +1,7 @@
 #ifndef ITEM_INCLUDED
 #define ITEM_INCLUDED
 
-/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -255,6 +255,7 @@ class Name_string: public Simple_cstring
   Name_string(const char *str, size_t length):
     Simple_cstring(str, length) {}
   Name_string(const LEX_STRING str): Simple_cstring(str) {}
+  Name_string(const LEX_CSTRING str) : Simple_cstring(str) {}
   Name_string(const char *str, size_t length, bool is_null_terminated):
     Simple_cstring()
   {
diff --git a/sql/parse_tree_items.cc b/sql/parse_tree_items.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2013, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -190,7 +190,7 @@ bool PTI_expr_with_alias::itemize(Parse_context *pc, Item **res)
   if (alias.str)
   {
     if (pc->thd->lex->sql_command == SQLCOM_CREATE_VIEW &&
-        check_column_name(alias.str))
+        check_column_name(alias))
     {
       my_error(ER_WRONG_COLUMN_NAME, MYF(0), alias.str);
       return true;
diff --git a/sql/sql_class.h b/sql/sql_class.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -5507,7 +5507,7 @@ class user_var_entry
   */
   static user_var_entry *create(THD *thd, const Name_string &name, const CHARSET_INFO *cs)
   {
-    if (check_column_name(name.ptr()))
+    if (check_column_name(name))
     {
       my_error(ER_ILLEGAL_USER_VAR, MYF(0), name.ptr());
       return NULL;
diff --git a/sql/sql_table.cc b/sql/sql_table.cc
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2023, Oracle and/or its affiliates.
+   Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -3731,7 +3731,7 @@ mysql_prepare_create_table(THD *thd, const char *error_schema_name,
     if (!(sql_field->flags & NOT_NULL_FLAG))
       null_fields++;
 
-    if (check_column_name(sql_field->field_name))
+    if (check_column_name(to_lex_cstring(sql_field->field_name)))
     {
       my_error(ER_WRONG_COLUMN_NAME, MYF(0), sql_field->field_name);
       DBUG_RETURN(TRUE);
@@ -4479,7 +4479,7 @@ mysql_prepare_create_table(THD *thd, const char *error_schema_name,
       }
     }
     key_info->actual_flags= key_info->flags;
-    if (!key_info->name || check_column_name(key_info->name))
+    if (!key_info->name || check_column_name(to_lex_cstring(key_info->name)))
     {
       my_error(ER_WRONG_NAME_FOR_INDEX, MYF(0), key_info->name);
       DBUG_RETURN(TRUE);
diff --git a/sql/sql_view.cc b/sql/sql_view.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2004, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2004, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -182,7 +182,7 @@ static void make_valid_column_names(LEX *lex)
     for (List_iterator_fast<Item> it(sl->item_list); (item= it++); column_no++)
     {
       if (!item->item_name.is_autogenerated() ||
-          !check_column_name(item->item_name.ptr()))
+          !check_column_name(item->item_name))
         continue;
       name_len= my_snprintf(buff, NAME_LEN, "Name_exp_%u", column_no);
       item->orig_name= item->item_name;
diff --git a/sql/table.cc b/sql/table.cc
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2023, Oracle and/or its affiliates.
+   Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -4306,19 +4306,20 @@ enum_ident_name_check check_table_name(const char *name, size_t length,
 }
 
 
-bool check_column_name(const char *name)
-{
+bool check_column_name(const Name_string &namestring) {
   // name length in symbols
   size_t name_length= 0;
   bool last_char_is_space= TRUE;
+  const char *name = namestring.ptr();
+  const char *name_end = name + namestring.length();
+  const bool is_multibyte = use_mb(system_charset_info);
 
   while (*name)
   {
     last_char_is_space= my_isspace(system_charset_info, *name);
-    if (use_mb(system_charset_info))
+    if (is_multibyte)
     {
-      int len=my_ismbchar(system_charset_info, name, 
-                          name+system_charset_info->mbmaxlen);
+      int len=my_ismbchar(system_charset_info, name, name_end);
       if (len)
       {
         name += len;
diff --git a/sql/table.h b/sql/table.h
@@ -1,7 +1,7 @@
 #ifndef TABLE_INCLUDED
 #define TABLE_INCLUDED
 
-/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -58,6 +58,7 @@ struct LEX;
 typedef int8 plan_idx;
 class Opt_hints_qb;
 class Opt_hints_table;
+class Name_string;
 
 #define store_record(A,B) memcpy((A)->B,(A)->record[0],(size_t) (A)->s->reclength)
 #define restore_record(A,B) memcpy((A)->record[0],(A)->B,(size_t) (A)->s->reclength)
@@ -2982,7 +2983,7 @@ void open_table_error(TABLE_SHARE *share, int error, int db_errno, int errarg);
 void update_create_info_from_table(HA_CREATE_INFO *info, TABLE *form);
 enum_ident_name_check check_and_convert_db_name(LEX_STRING *db,
                                                 bool preserve_lettercase);
-bool check_column_name(const char *name);
+bool check_column_name(const Name_string &name);
 enum_ident_name_check check_table_name(const char *name, size_t length,
                                        bool check_for_path_chars);
 int rename_file_ext(const char * from,const char * to,const char * ext);

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`#ifndef SQL_STRING_INCLUDED`
`2`	`2`	`#define SQL_STRING_INCLUDED`
`3`	`3`
`4`		`-/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.`
	`4`	`+/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.`
`5`	`5`
`6`	`6`	`This program is free software; you can redistribute it and/or modify`
`7`	`7`	`it under the terms of the GNU General Public License, version 2.0,`
`@@ -79,6 +79,8 @@ class Simple_cstring`
`79`	`79`	`{`
`80`	`80`	`set(arg.str, arg.length);`
`81`	`81`	`}`
	`82`	`+ Simple_cstring(const LEX_CSTRING arg) { set(arg.str, arg.length); }`
	`83`	`+`
`82`	`84`	`void reset()`
`83`	`85`	`{`
`84`	`86`	`set(NULL, 0);`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/* Copyright (c) 2013, 2023, Oracle and/or its affiliates.`
	`1`	`+/* Copyright (c) 2013, 2025, Oracle and/or its affiliates.`
`2`	`2`
`3`	`3`	`This program is free software; you can redistribute it and/or modify`
`4`	`4`	`it under the terms of the GNU General Public License, version 2.0,`
`@@ -190,7 +190,7 @@ bool PTI_expr_with_alias::itemize(Parse_context pc, Item *res)`
`190`	`190`	`if (alias.str)`
`191`	`191`	`{`
`192`	`192`	`if (pc->thd->lex->sql_command == SQLCOM_CREATE_VIEW &&`
`193`		`- check_column_name(alias.str))`
	`193`	`+ check_column_name(alias))`
`194`	`194`	`{`
`195`	`195`	`my_error(ER_WRONG_COLUMN_NAME, MYF(0), alias.str);`
`196`	`196`	`return true;`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- Copyright (c) 2000, 2023, Oracle and/or its affiliates.`
	`2`	`+ Copyright (c) 2000, 2025, Oracle and/or its affiliates.`
`3`	`3`
`4`	`4`	`This program is free software; you can redistribute it and/or modify`
`5`	`5`	`it under the terms of the GNU General Public License, version 2.0,`
`@@ -3731,7 +3731,7 @@ mysql_prepare_create_table(THD thd, const char error_schema_name,`
`3731`	`3731`	`if (!(sql_field->flags & NOT_NULL_FLAG))`
`3732`	`3732`	`null_fields++;`
`3733`	`3733`
`3734`		`- if (check_column_name(sql_field->field_name))`
	`3734`	`+ if (check_column_name(to_lex_cstring(sql_field->field_name)))`
`3735`	`3735`	`{`
`3736`	`3736`	`my_error(ER_WRONG_COLUMN_NAME, MYF(0), sql_field->field_name);`
`3737`	`3737`	`DBUG_RETURN(TRUE);`
`@@ -4479,7 +4479,7 @@ mysql_prepare_create_table(THD thd, const char error_schema_name,`
`4479`	`4479`	`}`
`4480`	`4480`	`}`
`4481`	`4481`	`key_info->actual_flags= key_info->flags;`
`4482`		`- if (!key_info->name \|\| check_column_name(key_info->name))`
	`4482`	`+ if (!key_info->name \|\| check_column_name(to_lex_cstring(key_info->name)))`
`4483`	`4483`	`{`
`4484`	`4484`	`my_error(ER_WRONG_NAME_FOR_INDEX, MYF(0), key_info->name);`
`4485`	`4485`	`DBUG_RETURN(TRUE);`