MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow

Adding the test for the length of lex->name into show_create_db(). Without this test writes beyond the end of db_name_buff were possible upon a too long database name.
2025-03-24 16:08:42 +01:00 · 2024-06-10 09:31:14 +04:00 · 2024-06-10 09:31:14 +04:00 · 21f56583bf
commit 21f56583bf
parent bf0aa99aeb
3 changed files with 33 additions and 0 deletions
--- a/mysql-test/main/create.result
+++ b/mysql-test/main/create.result
@ -2061,4 +2061,11 @@ DROP TABLE t1;
 #
 CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible);
 drop table t1;
+#
+# MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow
+#
+SET NAMES utf8mb3;
+SHOW CREATE DATABASE `#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭`;
+ERROR 42000: Incorrect database name '#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭...'
+SET NAMES DEFAULT;
 # End of 10.5 Test
--- a/mysql-test/main/create.test
+++ b/mysql-test/main/create.test
@ -1935,4 +1935,13 @@ DROP TABLE t1;
 CREATE TABLE t1 (id1 INT, id2 INT, primary key (id1), unique index (id2) visible);
 drop table t1;

+--echo #
+--echo # MDEV-32376 SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow
+--echo #
+
+SET NAMES utf8mb3;
+--error ER_WRONG_DB_NAME
+SHOW CREATE DATABASE `#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭`;
+SET NAMES DEFAULT;
+
 --echo # End of 10.5 Test
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -6637,6 +6637,23 @@ show_create_db(THD *thd, LEX *lex)
  DBUG_EXECUTE_IF("4x_server_emul",
                  my_error(ER_UNKNOWN_ERROR, MYF(0)); return 1;);

+#if MYSQL_VERSION_ID<=110301
+  /*
+    This piece of the code was added in 10.5 to fix MDEV-32376.
+    It should not get to 11.3 or higer, as MDEV-32376 was fixed
+    in a different way in 11.3.1 (see MDEV-31948).
+  */
+  if (lex->name.length > sizeof(db_name_buff) - 1)
+  {
+    my_error(ER_WRONG_DB_NAME, MYF(0),
+             ErrConvString(lex->name.str, lex->name.length,
+                           system_charset_info).ptr());
+    return 1;
+  }
+#else
+#error Remove this preprocessor-conditional code in 11.3.1+
+#endif
+
  db_name.str= db_name_buff;
  db_name.length= lex->name.length;
  strmov(db_name_buff, lex->name.str);