Fix for bug#21311: Possible stack overrun if SP has non-latin1 name

There was possible stack overrun in an edge case which handles invalid body of a SP in mysql.proc . That should be case when mysql.proc has been changed manually. Though, due to bug 21513, it can be exploited without having access to mysql.proc only being able to create a stored routine. mysql-test/r/sp.result: update result mysql-test/t/sp.test: add a test case for the bug sql/sp.cc: Fix stack overrun. This happen mostly when mysql.proc is damaged, though it's possible due to another bug which creates invalid SP body in mysql.proc (leading quote from a label being cut) to create stack overrun even without having direct access to mysql.proc
2026-05-03 13:45:34 +02:00 · 2006-09-27 21:23:17 +02:00 · 2006-09-27 21:23:17 +02:00 · fcb8687ad9
commit fcb8687ad9
parent 1a22b9c1f6
3 changed files with 31 additions and 1 deletions
--- a/mysql-test/r/sp.result
+++ b/mysql-test/r/sp.result
@ -5394,4 +5394,11 @@ Procedure	sql_mode	Create Procedure
 bug21416		CREATE DEFINER=`root`@`localhost` PROCEDURE `bug21416`()
 show create procedure bug21416
 drop procedure bug21416|
+set names utf8|
+drop database if exists това_е_дълго_име_за_база_данни_нали|
+create database това_е_дълго_име_за_база_данни_нали|
+INSERT INTO mysql.proc VALUES ('това_е_дълго_име_за_база_данни_нали','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','PROCEDURE','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','SQL','CONTAINS_SQL','NO','DEFINER','','','bad_body','root@localhost',now(), now(),'','')|
+call това_е_дълго_име_за_база_данни_нали.това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго()|
+ERROR HY000: Failed to load routine това_е_дълго_име_за_база_данни_нали.това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго. The table mysql.proc is missing, corrupt, or contains bad data (internal code -6)
+drop database това_е_дълго_име_за_база_данни_нали|
 drop table t1,t2;
--- a/mysql-test/t/sp.test
+++ b/mysql-test/t/sp.test
@ -6322,6 +6322,19 @@ create procedure bug21416() show create procedure bug21416|
 call bug21416()|
 drop procedure bug21416|

+#
+# BUG#21311: Possible stack overrun if SP has non-latin1 name
+#
+set names utf8|
+--disable_warnings
+drop database if exists това_е_дълго_име_за_база_данни_нали|
+--enable_warnings
+create database това_е_дълго_име_за_база_данни_нали|
+INSERT INTO mysql.proc VALUES ('това_е_дълго_име_за_база_данни_нали','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','PROCEDURE','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','SQL','CONTAINS_SQL','NO','DEFINER','','','bad_body','root@localhost',now(), now(),'','')|
+--error ER_SP_PROC_TABLE_CORRUPT
+call това_е_дълго_име_за_база_данни_нали.това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго()|
+drop database това_е_дълго_име_за_база_данни_нали|
+
 #
 # BUG#NNNN: New bug synopsis
 #
--- a/sql/sp.cc
+++ b/sql/sp.cc
@ -1633,7 +1633,17 @@ sp_cache_routines_and_add_tables_aux(THD *thd, LEX *lex,
         */
        if (!thd->net.report_error)
        {
-          char n[NAME_LEN*2+2];
+          /*
+            SP allows full NAME_LEN chars thus he have to allocate enough
+            size in bytes. Otherwise there is stack overrun could happen
+            if multibyte sequence is `name`. `db` is still safe because the
+            rest of the server checks agains NAME_LEN bytes and not chars.
+            Hence, the overrun happens only if the name is in length > 32 and
+            uses multibyte (cyrillic, greek, etc.)
+
+            !! Change 3 with SYSTEM_CHARSET_MBMAXLEN when it's defined.
+          */
+          char n[NAME_LEN*3*2+2];

          /* m_qname.str is not always \0 terminated */
          memcpy(n, name.m_qname.str, name.m_qname.length);