Fix for BUG#2703

"MySQL server does not detect if garbage chars at the end of query":

Detect garbage chars at the end of the query or at the end of a query
for a prepared statement (which happens if mysql_real_query() or mysql_prepare()
were called with a too big 'length' parameter (bigger than the real intended
length of the query: then we receive a query + garbage characters from the
client). This resulted in garbage chars written into the binlog.
Now instead the client receives something like:
'You have an error in your SQL syntax.  Check the manual that corresponds
to your MySQL server version for the right syntax to use near '!stmt'
at line 1' i.e. the server is pointing at the weird tail of the query
(this '!stmt' are the garbage chars sent by the client).
All tests pass, except mysqldump.test and ctype_utf8.test but they failed
before the patch.
parent f8f0c212
...@@ -3845,7 +3845,23 @@ mysql_parse(THD *thd, char *inBuf, uint length) ...@@ -3845,7 +3845,23 @@ mysql_parse(THD *thd, char *inBuf, uint length)
if (query_cache_send_result_to_client(thd, inBuf, length) <= 0) if (query_cache_send_result_to_client(thd, inBuf, length) <= 0)
{ {
LEX *lex=lex_start(thd, (uchar*) inBuf, length); LEX *lex=lex_start(thd, (uchar*) inBuf, length);
if (!yyparse((void *)thd) && ! thd->is_fatal_error) if (!yyparse((void *)thd) && ! thd->is_fatal_error &&
/*
If this is not a multiple query, ensure that it has been
successfully parsed until the last character. This is to prevent
against a wrong (too big) length passed to mysql_real_query(),
mysql_prepare()... which can generate garbage characters at the
end. If the query was initially multiple, found_colon will be false
only when we are in the last query; this last query had already
been end-spaces-stripped by alloc_query() in dispatch_command(); as
end spaces are the only thing we accept at the end of a query, and
they have been stripped already, here we can require that nothing
remains after parsing.
*/
(thd->lex->found_colon ||
(char*)(thd->lex->ptr) == (thd->query+thd->query_length+1) ||
/* yyerror() will show the garbage chars to the user */
(yyerror("syntax error"), 0)))
{ {
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
if (mqh_used && thd->user_connect && if (mqh_used && thd->user_connect &&
......
...@@ -909,7 +909,15 @@ bool mysql_stmt_prepare(THD *thd, char *packet, uint packet_length) ...@@ -909,7 +909,15 @@ bool mysql_stmt_prepare(THD *thd, char *packet, uint packet_length)
lex->safe_to_cache_query= 0; lex->safe_to_cache_query= 0;
lex->param_count= 0; lex->param_count= 0;
if (yyparse((void *)thd) || thd->is_fatal_error || send_prepare_results(stmt)) if (yyparse((void *)thd) || thd->is_fatal_error ||
/*
Check for wrong (too big) length passed to mysql_prepare() resulting in
garbage at the end of the query. There is a similar check in mysql_parse().
*/
(!thd->lex->found_colon &&
(char*)(thd->lex->ptr) != (thd->query+thd->query_length+1) &&
/* yyerror() will show the garbage chars to the user */
(yyerror("syntax error"), 1)) || send_prepare_results(stmt))
goto yyparse_err; goto yyparse_err;
lex_end(lex); lex_end(lex);
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment