Fixing BUG#15658: Server crashes after creating function as empty string

Empty strings (and names with trailing spaces) should not be allowed. mysql-test/r/sp-error.result: New testcase for BUG#15658 mysql-test/t/sp-error.test: New testcase for BUG#15658 sql/share/errmsg.txt: New error message for bad stored routine names. sql/sp_head.cc: Added function for checking SP names. (Mustn't be empty or contain trailing spaces.) sql/sp_head.h: Added function for checking SP names. sql/sql_yacc.yy: Check db and name for stored routines.
2025-01-29 02:05:57 +01:00 · 2006-01-11 15:11:05 +01:00 · 2006-01-11 15:11:05 +01:00 · 1e96805752
commit 1e96805752
parent 935ad7e8f3
6 changed files with 82 additions and 0 deletions
--- a/mysql-test/r/sp-error.result
+++ b/mysql-test/r/sp-error.result
@ -1128,3 +1128,22 @@ ERROR HY000: View 'test.v1' references invalid table(s) or column(s) or function
 drop function bug11555_1;
 drop table t1;
 drop view v1;
+drop procedure if exists ` bug15658`;
+create procedure ``() select 1;
+ERROR 42000: Incorrect routine name ''
+create procedure ` `() select 1;
+ERROR 42000: Incorrect routine name ' '
+create procedure `bug15658 `() select 1;
+ERROR 42000: Incorrect routine name 'bug15658 '
+create procedure ``.bug15658() select 1;
+ERROR 42000: Incorrect database name ''
+create procedure `x `.bug15658() select 1;
+ERROR 42000: Incorrect database name 'x '
+create procedure ` bug15658`() select 1;
+call ` bug15658`();
+1
+1
+show procedure status;
+Db	Name	Type	Definer	Modified	Created	Security_type	Comment
+test	 bug15658	PROCEDURE	root@localhost	0000-00-00 00:00:00	0000-00-00 00:00:00	DEFINER	
+drop procedure ` bug15658`;
--- a/mysql-test/t/sp-error.test
+++ b/mysql-test/t/sp-error.test
@ -1556,6 +1556,7 @@ drop procedure bug13012_1|
 drop function bug13012_2|
 delimiter ;|

+#
 # BUG#11555 "Stored procedures: current SP tables locking make 
 # impossible view security". We should not expose names of tables
 # which are implicitly used by view (via stored routines/triggers).
@ -1616,7 +1617,33 @@ drop function bug11555_1;
 drop table t1;
 drop view v1;

+#
+# BUG#15658: Server crashes after creating function as empty string
+#
+--disable_warnings
+drop procedure if exists ` bug15658`;
+--enable_warnings

+--error ER_SP_WRONG_NAME
+create procedure ``() select 1;
+--error ER_SP_WRONG_NAME
+create procedure ` `() select 1;
+--error ER_SP_WRONG_NAME
+create procedure `bug15658 `() select 1;
+--error ER_WRONG_DB_NAME
+create procedure ``.bug15658() select 1;
+--error ER_WRONG_DB_NAME
+create procedure `x `.bug15658() select 1;
+
+# This should work
+create procedure ` bug15658`() select 1;
+call ` bug15658`();
+--replace_column 5 '0000-00-00 00:00:00' 6 '0000-00-00 00:00:00'
+show procedure status;
+drop procedure ` bug15658`;
+
+
+#
 # BUG#NNNN: New bug synopsis
 #
 #--disable_warnings
--- a/sql/share/errmsg.txt
+++ b/sql/share/errmsg.txt
@ -5605,3 +5605,5 @@ ER_SP_RECURSION_LIMIT
        ger "Rekursionsgrenze %d (durch Variable max_sp_recursion_depth gegeben) wurde für Routine %.64s überschritten"
 ER_SP_PROC_TABLE_CORRUPT
 	eng "Failed to load routine %s. The table mysql.proc is missing, corrupt, or contains bad data (internal code %d)"
+ER_SP_WRONG_NAME 42000
+	eng "Incorrect routine name '%-.64s'"
--- a/sql/sp_head.cc
+++ b/sql/sp_head.cc
@ -384,6 +384,23 @@ sp_name_current_db_new(THD *thd, LEX_STRING name)
  return qname;
 }

+/*
+ * Check that the name 'ident' is ok. It's assumed to be an 'ident'
+ * from the parser, so we only have to check length and trailing spaces.
+ * The former is a standard requirement (and 'show status' assumes a
+ * non-empty name), the latter is a mysql:ism as trailing spaces are
+ * removed by get_field().
+ *
+ * RETURN
+ *  TRUE  - bad name
+ *  FALSE - name is ok
+ */
+
+bool
+sp_name_check(LEX_STRING ident)
+{
+  return (!ident.str || !ident.str[0] || ident.str[ident.length-1] == ' ');
+}

 /* ------------------------------------------------------------------ */

--- a/sql/sp_head.h
+++ b/sql/sp_head.h
@ -102,6 +102,8 @@ public:
 sp_name *
 sp_name_current_db_new(THD *thd, LEX_STRING name);

+bool
+sp_name_check(LEX_STRING name);

 class sp_head :private Query_arena
 {
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@ -1288,11 +1288,26 @@ clear_privileges:
 sp_name:
 	  ident '.' ident
 	  {
+            if (!$1.str || check_db_name($1.str))
+            {
+	      my_error(ER_WRONG_DB_NAME, MYF(0), $1.str);
+	      YYABORT;
+	    }
+	    if (sp_name_check($3))
+            {
+	      my_error(ER_SP_WRONG_NAME, MYF(0), $3.str);
+	      YYABORT;
+	    }
 	    $$= new sp_name($1, $3);
 	    $$->init_qname(YYTHD);
 	  }
 	| ident
 	  {
+	    if (sp_name_check($1))
+            {
+	      my_error(ER_SP_WRONG_NAME, MYF(0), $1.str);
+	      YYABORT;
+	    }
 	    $$= sp_name_current_db_new(YYTHD, $1);
 	  }
 	;