• Davi Arnaut's avatar
    Bug#45010: invalid memory reads during parsing some strange statements · c7163c63
    Davi Arnaut authored
    The problem is that the lexer could inadvertently skip over the
    end of a query being parsed if it encountered a malformed multibyte
    character. A specially crated query string could cause the lexer
    to jump up to six bytes past the end of the query buffer. Another
    problem was that the laxer could use unfiltered user input as
    a signed array index for the parser maps (having upper and lower
    bounds 0 and 256 respectively).
    
    The solution is to ensure that the lexer only skips over well-formed
    multibyte characters and that the index value of the parser maps
    is always a unsigned value.
    
    mysql-test/r/ctype_recoding.result:
      Update test case result: ending backtick is not skipped over anymore.
    sql/sql_lex.cc:
      Characters being analyzed must be unsigned as they can be
      used as indexes for the parser maps. Only skip over if the
      string is a valid multi-byte sequence.
    tests/mysql_client_test.c:
      Add test case for Bug#45010
    c7163c63
sql_lex.cc 66.5 KB