Bug #55424: convert_tz crashes when fed invalid data

The CONVERT_TZ function crashes the server when the timezone argument is an empty SET field value. 1) The CONVERT_TZ may find a timezone string in the tz_names hash. 2) A string representation of the empty SET is a String of zero length with the NULL pointer. 3) If the key argument length is zero, hash functions do comparison using the length of the record being compared against. I.e. a zero-length String buffer is an invalid argument for hash search functions, and if String points to NULL buffer, hashcmp() fails with SEGV accessing that memory. The my_tz_find function has been modified to treat empty Strings as invalid timezone values to skip unnecessary hash search.

Bug #55424: convert_tz crashes when fed invalid data
The CONVERT_TZ function crashes the server when the timezone argument is an empty SET field value. 1) The CONVERT_TZ may find a timezone string in the tz_names hash. 2) A string representation of the empty SET is a String of zero length with the NULL pointer. 3) If the key argument length is zero, hash functions do comparison using the length of the record being compared against. I.e. a zero-length String buffer is an invalid argument for hash search functions, and if String points to NULL buffer, hashcmp() fails with SEGV accessing that memory. The my_tz_find function has been modified to treat empty Strings as invalid timezone values to skip unnecessary hash search.
ed736379 · Gleb Shchepa · 6c0f9301 · ed736379 · ed736379 · ed736379
Commit ed736379 authored Aug 06, 2010 by Gleb Shchepa
Showing with 23 additions and 2 deletions

mysql-test/r/timezone2.result mysql-test/r/timezone2.result +12 -0

mysql-test/t/timezone2.test mysql-test/t/timezone2.test +9 -0

sql/sql_string.h sql/sql_string.h +1 -1

sql/tztime.cc sql/tztime.cc +1 -1

No files found.
--- a/mysql-test/r/timezone2.result
+++ b/mysql-test/r/timezone2.result
@@ -296,4 +296,16 @@ CONVERT_TZ(NOW(), 'UTC', 'Europe/Moscow') IS NULL
 UPDATE t1 SET t = CONVERT_TZ(t, 'UTC', 'Europe/Moscow');
 UNLOCK TABLES;
 DROP TABLE t1;
+#
+# Bug #55424: convert_tz crashes when fed invalid data
+#
+CREATE TABLE t1 (a SET('x') NOT NULL);
+INSERT INTO t1 VALUES ('');
+SELECT CONVERT_TZ(1, a, 1) FROM t1;
+CONVERT_TZ(1, a, 1)
+NULL
+SELECT CONVERT_TZ(1, 1, a) FROM t1;
+CONVERT_TZ(1, 1, a)
+NULL
+DROP TABLE t1;
 End of 5.1 tests
--- a/mysql-test/t/timezone2.test
+++ b/mysql-test/t/timezone2.test
@@ -273,5 +273,14 @@ UNLOCK TABLES;
 DROP TABLE t1;
+--echo #
+--echo # Bug #55424: convert_tz crashes when fed invalid data
+--echo #
+CREATE TABLE t1 (a SET('x') NOT NULL);
+INSERT INTO t1 VALUES ('');
+SELECT CONVERT_TZ(1, a, 1) FROM t1;
+SELECT CONVERT_TZ(1, 1, a) FROM t1;
+DROP TABLE t1;
 --echo End of 5.1 tests
--- a/sql/sql_string.h
+++ b/sql/sql_string.h
@@ -97,7 +97,7 @@ public:
  inline uint32 alloced_length() const { return Alloced_length;}
  inline char& operator [] (uint32 i) const { return Ptr[i]; }
  inline void length(uint32 len) { str_length=len ; }
-  inline bool is_empty() { return (str_length == 0); }
+  inline bool is_empty() const { return (str_length == 0); }
  inline void mark_as_const() { Alloced_length= 0;}
  inline const char *ptr() const { return Ptr; }
  inline char *c_ptr()

--- a/sql/tztime.cc
+++ b/sql/tztime.cc
@@ -2259,7 +2259,7 @@ my_tz_find(THD *thd, const String *name)
  DBUG_PRINT("enter", ("time zone name='%s'",
                       name ? ((String *)name)->c_ptr_safe() : "NULL"));
-  if (!name)
+  if (!name || name->is_empty())
    DBUG_RETURN(0);
  VOID(pthread_mutex_lock(&tz_LOCK));