MDEV-26139 Spider crashes with segmentation fault (signal 11) on CREATE TABLE...

MDEV-26139 Spider crashes with segmentation fault (signal 11) on CREATE TABLE when COMMENT does not contain embedded double quotes The root cause of the bug MDEV-26139 is the lack of NULL checking on the variable `dq`. Comments on if (dq && (!sq || sq > dq)) {...} else {...}: * The if block corresponds to the case where parameters are quoted by double quotes. In that case, a single quote doesn't appear at all or only appears in the middle of double quotes. * The else block corresponds to the case where parameters are quoted by single quotes. In that case, a double quote doesn't appear at all or only appears in the middle of single quotes. * If the program reaches the if-else statement, `sq || dq` holds. Thus, the negation of `dq && (!sq || sq > dq)` is equivalent to `sq && (!dq || sq <= dq)`.

MDEV-26139 Spider crashes with segmentation fault (signal 11) on CREATE TABLE...
MDEV-26139 Spider crashes with segmentation fault (signal 11) on CREATE TABLE when COMMENT does not contain embedded double quotes The root cause of the bug MDEV-26139 is the lack of NULL checking on the variable `dq`. Comments on if (dq && (!sq || sq > dq)) {...} else {...}: * The if block corresponds to the case where parameters are quoted by double quotes. In that case, a single quote doesn't appear at all or only appears in the middle of double quotes. * The else block corresponds to the case where parameters are quoted by single quotes. In that case, a double quote doesn't appear at all or only appears in the middle of single quotes. * If the program reaches the if-else statement, `sq || dq` holds. Thus, the negation of `dq && (!sq || sq > dq)` is equivalent to `sq && (!dq || sq <= dq)`.
e3814a74 · Nayuta Yanagisawa · 78735dca · e3814a74 · e3814a74 · e3814a74
Commit e3814a74 authored Jul 14, 2021 by Nayuta Yanagisawa
3 changed files
--- a/storage/spider/mysql-test/spider/r/basic_sql.result
+++ b/storage/spider/mysql-test/spider/r/basic_sql.result
@@ -721,6 +721,12 @@ connection master_1;
 create table t2345678911234567892123456789312345678941234567895123234234(id int) ENGINE=SPIDER
 COMMENT='host "192.168.21.1", user "spider", password "password", database "test32738123123123"';
 drop table t2345678911234567892123456789312345678941234567895123234234;
+#
+# MDEV-26139 Spider crashes with segmentation fault (signal 11) on CREATE TABLE when COMMENT does not contain embedded double quotes
+#
+create table mdev_26139 (id int) ENGINE=SPIDER
+COMMENT="host '192.168.21.1', user 'spider', password 'password', database 'test'";
+drop table mdev_26139;

 deinit
 connection master_1;

--- a/storage/spider/mysql-test/spider/t/basic_sql.test
+++ b/storage/spider/mysql-test/spider/t/basic_sql.test
@@ -2682,6 +2682,13 @@ create table t2345678911234567892123456789312345678941234567895123234234(id int)
    COMMENT='host "192.168.21.1", user "spider", password "password", database "test32738123123123"';
 drop table t2345678911234567892123456789312345678941234567895123234234;

+--echo #
+--echo # MDEV-26139 Spider crashes with segmentation fault (signal 11) on CREATE TABLE when COMMENT does not contain embedded double quotes
+--echo #
+create table mdev_26139 (id int) ENGINE=SPIDER
+    COMMENT="host '192.168.21.1', user 'spider', password 'password', database 'test'";
+drop table mdev_26139;
+
 --echo
 --echo deinit
 --disable_warnings

--- a/storage/spider/spd_table.h
+++ b/storage/spider/spd_table.h
@@ -189,7 +189,8 @@ typedef struct st_spider_param_string_parse
    {
      DBUG_RETURN(print_param_error());
    }
-    else if (!sq || sq > dq)
+
+    if (dq && (!sq || sq > dq))
    {
      while (1)
      {
@@ -227,7 +228,7 @@ typedef struct st_spider_param_string_parse
        }
      }
    }
-    else
+    else /* sq && (!dq || sq <= dq) */
    {
      while (1)
      {