• Dmitry Shulga's avatar
    Fixed bug#11840395 (formerly known as bug#60347: THE STRING "VERSIONDATA" · 639605a9
    Dmitry Shulga authored
    SEEMS TO BE 'LEAKING' INTO THE SCHEMA NAME SPACE)
    and bug#12428824 (Parser stack overflow and crash in sp_add_used_routine
    with obscure query).
    
    The first problem was that attempts to call a stored function by
    its fully qualified name ended up with unwarranted error "ERROR 1305
    (42000): FUNCTION someMixedCaseDb.my_function_name does not exist"
    if this function belonged to a schema that had uppercase letters in
    its name AND --lower_case_table_names was equal to either 1 or 2.
    
    The second problem was that 5.5 version of MySQL server might have
    crashed when a user tried to call stored function with too long name
    or too long database name (i.e if a function and database name combined
    occupied more than 2*3*64 bytes in utf8). This issue didn't affect
    versions of server < 5.5.
     
    The first problem was caused by the fact that in cases when a stored
    function was called by its fully qualified name we didn't lowercase
    name of its schema before performing look up of the function in
    mysql.proc table even although lower_case_table_names mode was on.
    As result we were unable to find this function since during its
    creation we store lowercased version of schema name in the system
    table in this mode and field for schema name uses binary collation.
    
    Calls to stored functions were unaffected by this problem since for
    them schema name is converted to lowercase as necessary.
    
    The reason for the second bug was that MySQL Server didn't check length
    of function name and database name before proceeding with execution of
    stored function. As a consequence too long database name or function
    name caused buffer overruns in places where the code assumes that their
    length is within fixed limits, like mdl_key_init() in 5.5.
    
    Again this issue didn't affect calls to stored procedures as for them
    length of schema name and procedure name are properly checked.
    
    This patch fixes both these bugs by adding calls to check_db_name()
    and check_routine_name() to grammar rule which corresponds to a call
    to a stored function. These functions ensure that length of database
    name and function name for routine called is within standard limit.
    Moreover call to check_db_name() handles conversion of database name
    to lowercase if --lower_case_table_names mode is on.
    
    Note that even although the second issue seems to be only reproducible
    in 5.5 we still add code fixing it to 5.1 to be on the safe side (and
    make code a bit more robust against possible future changes).
    639605a9
sql_yacc.yy 405 KB