Bug #38701: Crash in String::append when inserting duplicate empty strings an uft8

SET col When reporting a duplicate key error the server was making incorrect assumptions on what the state of the value string to include in the error is. Fixed by accessing the data in this string in a "safe" way (without relying on it having a terminating 0). Detected by code analysis and fixed a similar problem in reporting the foreign key duplicate errors.
2025-01-18 04:53:01 +01:00 · 2008-09-05 18:21:59 +03:00 · 2008-09-05 18:21:59 +03:00 · e953a26df5
commit e953a26df5
parent 565c4d2bb2
3 changed files with 31 additions and 2 deletions
--- a/mysql-test/r/type_set.result
+++ b/mysql-test/r/type_set.result
@ -93,4 +93,14 @@ c
 1,2,3
 64
 DROP TABLE t1;
+CREATE TABLE t1 (
+set_unique_utf8 set ('a','b','c','d','e','f','g','h','i','j','k','l',
+'m','n','o','p','q','r','s','t','u','v','w','x',
+'y','z') CHARACTER SET utf8,
+unique (set_unique_utf8)
+);
+INSERT INTO t1 ( set_unique_utf8 ) VALUES ( '' );
+INSERT INTO t1 ( set_unique_utf8 ) VALUES ( '' );
+ERROR 23000: Duplicate entry '' for key 'set_unique_utf8'
+DROP TABLE t1;
 End of 5.0 tests
--- a/mysql-test/t/type_set.test
+++ b/mysql-test/t/type_set.test
@ -75,4 +75,23 @@ INSERT INTO t1 VALUES(9223372036854775808);
 SELECT * FROM t1;
 DROP TABLE t1;

+#
+# Bug #38701: Crash in String::append when inserting duplicate empty strings
+# an uft8 SET col
+#
+
+CREATE TABLE t1 (
+        set_unique_utf8 set ('a','b','c','d','e','f','g','h','i','j','k','l',
+                             'm','n','o','p','q','r','s','t','u','v','w','x',
+                             'y','z') CHARACTER SET utf8,
+        unique (set_unique_utf8)
+);
+
+INSERT INTO t1 ( set_unique_utf8 ) VALUES ( '' );
+--error ER_DUP_ENTRY 
+INSERT INTO t1 ( set_unique_utf8 ) VALUES ( '' );
+
+DROP TABLE t1;
+
+
 --echo End of 5.0 tests
--- a/sql/handler.cc
+++ b/sql/handler.cc
@ -2496,7 +2496,7 @@ void handler::print_keydup_error(uint key_nr, const char *msg)
      str.append(STRING_WITH_LEN("..."));
    }
    my_printf_error(ER_DUP_ENTRY, msg,
-		    MYF(0), str.c_ptr(), table->key_info[key_nr].name);
+		    MYF(0), str.c_ptr_safe(), table->key_info[key_nr].name);
  }
 }

@ -2564,7 +2564,7 @@ void handler::print_error(int error, myf errflag)
        str.append(STRING_WITH_LEN("..."));
      }
      my_error(ER_FOREIGN_DUPLICATE_KEY, MYF(0), table_share->table_name.str,
-        str.c_ptr(), key_nr+1);
+        str.c_ptr_safe(), key_nr+1);
      DBUG_VOID_RETURN;
    }
    textno= ER_DUP_KEY;