Bug #44796: valgrind: too many my_longlong10_to_str_8bit

warnings after uncompressed_length UNCOMPRESSED_LENGTH() did not validate its argument. In particular, if the argument length was less than 4 bytes, an uninitialized memory value was returned as a result. Since the result of COMPRESS() is either an empty string or a 4-byte length prefix followed by compressed data, the bug was fixed by ensuring that the argument of UNCOMPRESSED_LENGTH() is either an empty string or contains at least 5 bytes (as done in UNCOMPRESS()). This is the best we can do to validate input without decompressing.
2025-01-18 04:53:01 +01:00 · 2009-05-20 12:30:06 +04:00 · 2009-05-20 12:30:06 +04:00 · 85645fe3f6
commit 85645fe3f6
parent edc19ca252
3 changed files with 47 additions and 1 deletions
--- a/mysql-test/r/func_compress.result
+++ b/mysql-test/r/func_compress.result
@ -116,4 +116,19 @@ Warnings:
 Error	1259	ZLIB: Input data corrupted
 Error	1259	ZLIB: Input data corrupted
 drop table t1;
+CREATE TABLE t1 (c1 INT);
+INSERT INTO t1 VALUES (1), (1111), (11111);
+SELECT UNCOMPRESS(c1), UNCOMPRESSED_LENGTH(c1) FROM t1;
+UNCOMPRESS(c1)	UNCOMPRESSED_LENGTH(c1)
+NULL	NULL
+NULL	NULL
+NULL	825307441
+Warnings:
+Error	1259	ZLIB: Input data corrupted
+Error	1259	ZLIB: Input data corrupted
+Error	1259	ZLIB: Input data corrupted
+Error	1259	ZLIB: Input data corrupted
+Error	1256	Uncompressed data size too large; the maximum size is 104857600 (probably, length of uncompressed data was corrupted)
+EXPLAIN EXTENDED SELECT * FROM (SELECT UNCOMPRESSED_LENGTH(c1) FROM t1) AS s;
+DROP TABLE t1;
 End of 5.0 tests
--- a/mysql-test/t/func_compress.test
+++ b/mysql-test/t/func_compress.test
@ -82,4 +82,21 @@ select *, uncompress(a) from t1;
 select *, uncompress(a), uncompress(a) is null from t1;
 drop table t1;

+#
+# Bug #44796: valgrind: too many my_longlong10_to_str_8bit warnings after 
+#             uncompressed_length
+#
+
+CREATE TABLE t1 (c1 INT);
+INSERT INTO t1 VALUES (1), (1111), (11111);
+
+SELECT UNCOMPRESS(c1), UNCOMPRESSED_LENGTH(c1) FROM t1;
+
+# We do not need the results, just make sure there are no valgrind errors
+--disable_result_log
+EXPLAIN EXTENDED SELECT * FROM (SELECT UNCOMPRESSED_LENGTH(c1) FROM t1) AS s;
+--enable_result_log
+
+DROP TABLE t1;
+
 --echo End of 5.0 tests
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@ -3108,7 +3108,21 @@ longlong Item_func_uncompressed_length::val_int()
  if (res->is_empty()) return 0;

  /*
-    res->ptr() using is safe because we have tested that string is not empty,
+    If length is <= 4 bytes, data is corrupt. This is the best we can do
+    to detect garbage input without decompressing it.
+  */
+  if (res->length() <= 4)
+  {
+    push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_ERROR,
+                        ER_ZLIB_Z_DATA_ERROR,
+                        ER(ER_ZLIB_Z_DATA_ERROR));
+    null_value= 1;
+    return 0;
+  }
+
+ /*
+    res->ptr() using is safe because we have tested that string is at least
+    5 bytes long.
    res->c_ptr() is not used because:
      - we do not need \0 terminated string to get first 4 bytes
      - c_ptr() tests simbol after string end (uninitialiozed memory) which