mirror of
https://github.com/MariaDB/server.git
synced 2025-01-25 00:04:33 +01:00
1756d087cd
"set optimizer_switch to e or d causes invalid memory writes/valgrind warnings":
due to prefix support, the argument "e" was overwritten with its full value
"engine_condition_pushdown", which caused a buffer overrun.
This was wrong usage of find_type(); other wrong usages are fixed here too.
Please start reading with the comment of typelib.c.
client/mysqldump.c:
A bug: find_type() expects a bitmap as 3rd argument
(each bit is a flag controlling a behaviour of the function);
here it was instead passed the length of the string to search!
That could give random behaviour of find_type()
depending on the string.
We rather need to pass a correct flag to find_type().
The correct flag is FIND_TYPE_BASIC (0).
Flag 8 is not needed as buff cannot have a comma (see how buff is filled).
Flag 1 looks like a superfluous restriction.
Flag 4 is not user-friendly (why use
--compatible=2 rather than --compatible=mysql40 ?, and
we probably not commit to "2" always meaning "mysql40"
until the end of times).
include/mysql.h.pp:
This isn't a problematic API change as we go from char* to const char*:
existing code will run unchanged.
include/typelib.h:
named constants. Not an enum to not significantly change
the declaration of find_type() which would be an API change
(typelib.h is included in mysql.h).
mysql-test/r/mysqldump.result:
correct result (see the two requested modes in SQL_MODE)
mysql-test/suite/sys_vars/t/optimizer_switch_basic.test:
test for BUG#59894. The second SET used to crash.
mysql-test/t/mysqldump.test:
we had no test for multiple modes in --compatible, which is
supported according to --help
mysys/typelib.c:
Fix for BUG#59894. parse_name() is asked to match "e" with a row
of the TYPELIB (the TYPELIB lists permitted flags of optimizer_switch;
and comes from optimizer_switch_names[] of sys_vars.cc).
find_type() is capable of supporting prefixes, but if it is not
passed flag 2 in third argument, it will overwrite its first
argument (the string to search for) with the complete name,
here overwriting "e" with "engine_condition_pushdown". But
as this "e" was a buffer allocated in an Item, it was not big
enough to host the longer name, thus the crash.
We don't need to know the complete flag's name; the output used
from find_type() is just the flag's number (== function's return
code). So we can pass flag 2 to find_type() in parse_name().
After doing this fix and the other fixes in this patch, all usages
of find_type() were using flag 2; in most usages the string to search for,
is not guaranteed to be long enough to host the complete name
(it is either directly from argv, or from alloc_root/my_malloc
done in an earlier call).
Thus, flag 2 is here made implicit: callers need not pass it anymore,
it is always automatically turned on.
This allows to eliminate an oddity: parse_name() took a const char**,
and then removed "const" before calling find_type(), which could
theoretically modify the pointed data, thus lying on constness.
Last, constants for find_type() are now named.
sql-common/client.c:
Two bugs:
1) The enum was not in sync with the array (due to a bad porting of WL 1054;
the extra OPT_ values are about options present in 5.1 and deleted in 5.5);
added a compile_time_assert() to make sure this doesn't happen again
2) find_type() was writing past the end of opt_arg; as opt_arg was allocated
with alloc_root() with no extra space, this was an overrun; it could be seen
when
** building with -DWITH_VALGRIND -DHAVE_purify -DEXTRA_DEBUG
** making execution go through the faulty code; this faulty
code is executed only if the client asks to read a configuration
file like this:
mysql_options(mysql, MYSQL_READ_DEFAULT_FILE, "/tmp/cnf.cnf");
so by adding such line to the start of mysql_client_test.c::client_connect(),
we could see the valgrind warning:
==30548== Invalid write of size 1
==30548== at 0x4C2624C: strcpy (mc_replace_strmem.c:303)
==30548== by 0x48DC29: find_type (typelib.c:120)
==30548== by 0x465686: mysql_read_default_options (client.c:1344)
==30548== by 0x46830F: mysql_real_connect (client.c:2971)
==30548== by 0x409339: client_connect (mysql_client_test.c:331)
==30548== by 0x463A7F: main (mysql_client_test.c:19902)
==30548== Address 0x61875ad is 0 bytes after a block of size 29 alloc'd
==30548== at 0x4C25153: malloc (vg_replace_malloc.c:195)
==30548== by 0x49BFF1: my_malloc (my_malloc.c:38)
==30548== by 0x49C65C: alloc_root (my_alloc.c:166)
==30548== by 0x48EF97: handle_default_option (default.c:381)
==30548== by 0x49068C: search_default_file_with_ext (default.c:992)
==30548== by 0x48F929: search_default_file (default.c:670)
==30548== by 0x48EDC4: my_search_option_files (default.c:312)
==30548== by 0x48F4B1: my_load_defaults (default.c:576)
==30548== by 0x46517A: mysql_read_default_options (client.c:1207)
==30548== by 0x46830F: mysql_real_connect (client.c:2971)
==30548== by 0x409339: client_connect (mysql_client_test.c:331)
==30548== by 0x463A7F: main (mysql_client_test.c:19902)
This is fixed by having find_type() not overwrite anymore.
sql/sql_help.cc:
cast not needed anymore.
sql/table.cc:
cast not needed anymore.
387 lines
10 KiB
C
387 lines
10 KiB
C
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; version 2 of the License.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
|
|
|
|
/* Functions to handle typelib */
|
|
|
|
#include "mysys_priv.h"
|
|
#include <m_string.h>
|
|
#include <m_ctype.h>
|
|
|
|
|
|
#define is_field_separator(X) ((X) == ',' || (X) == '=')
|
|
|
|
int find_type_or_exit(const char *x, TYPELIB *typelib, const char *option)
|
|
{
|
|
int res;
|
|
const char **ptr;
|
|
|
|
if ((res= find_type((char *) x, typelib, FIND_TYPE_BASIC)) <= 0)
|
|
{
|
|
ptr= typelib->type_names;
|
|
if (!*x)
|
|
fprintf(stderr, "No option given to %s\n", option);
|
|
else
|
|
fprintf(stderr, "Unknown option to %s: %s\n", option, x);
|
|
fprintf(stderr, "Alternatives are: '%s'", *ptr);
|
|
while (*++ptr)
|
|
fprintf(stderr, ",'%s'", *ptr);
|
|
fprintf(stderr, "\n");
|
|
exit(1);
|
|
}
|
|
return res;
|
|
}
|
|
|
|
|
|
/**
|
|
Search after a string in a list of strings. Endspace in x is not compared.
|
|
|
|
@param x String to find
|
|
@param typelib TYPELIB (struct of pointer to values + count)
|
|
@param flags flags to tune behaviour: a combination of
|
|
FIND_TYPE_NO_PREFIX
|
|
FIND_TYPE_ALLOW_NUMBER
|
|
FIND_TYPE_COMMA_TERM.
|
|
FIND_TYPE_NO_OVERWRITE can be passed but is
|
|
superfluous (is always implicitely on).
|
|
|
|
@retval
|
|
-1 Too many matching values
|
|
@retval
|
|
0 No matching value
|
|
@retval
|
|
>0 Offset+1 in typelib for matched string
|
|
*/
|
|
|
|
|
|
int find_type(const char *x, const TYPELIB *typelib, uint flags)
|
|
{
|
|
int find,pos;
|
|
int UNINIT_VAR(findpos); /* guarded by find */
|
|
const char *i;
|
|
const char *j;
|
|
DBUG_ENTER("find_type");
|
|
DBUG_PRINT("enter",("x: '%s' lib: 0x%lx", x, (long) typelib));
|
|
|
|
DBUG_ASSERT(!(flags & ~(FIND_TYPE_NO_PREFIX | FIND_TYPE_ALLOW_NUMBER |
|
|
FIND_TYPE_NO_OVERWRITE | FIND_TYPE_COMMA_TERM)));
|
|
if (!typelib->count)
|
|
{
|
|
DBUG_PRINT("exit",("no count"));
|
|
DBUG_RETURN(0);
|
|
}
|
|
find=0;
|
|
for (pos=0 ; (j=typelib->type_names[pos]) ; pos++)
|
|
{
|
|
for (i=x ;
|
|
*i && (!(flags & FIND_TYPE_COMMA_TERM) || !is_field_separator(*i)) &&
|
|
my_toupper(&my_charset_latin1,*i) ==
|
|
my_toupper(&my_charset_latin1,*j) ; i++, j++) ;
|
|
if (! *j)
|
|
{
|
|
while (*i == ' ')
|
|
i++; /* skip_end_space */
|
|
if (! *i || ((flags & FIND_TYPE_COMMA_TERM) && is_field_separator(*i)))
|
|
DBUG_RETURN(pos+1);
|
|
}
|
|
if ((!*i &&
|
|
(!(flags & FIND_TYPE_COMMA_TERM) || !is_field_separator(*i))) &&
|
|
(!*j || !(flags & FIND_TYPE_NO_PREFIX)))
|
|
{
|
|
find++;
|
|
findpos=pos;
|
|
}
|
|
}
|
|
if (find == 0 && (flags & FIND_TYPE_ALLOW_NUMBER) && x[0] == '#' &&
|
|
strend(x)[-1] == '#' &&
|
|
(findpos=atoi(x+1)-1) >= 0 && (uint) findpos < typelib->count)
|
|
find=1;
|
|
else if (find == 0 || ! x[0])
|
|
{
|
|
DBUG_PRINT("exit",("Couldn't find type"));
|
|
DBUG_RETURN(0);
|
|
}
|
|
else if (find != 1 || (flags & FIND_TYPE_NO_PREFIX))
|
|
{
|
|
DBUG_PRINT("exit",("Too many possybilities"));
|
|
DBUG_RETURN(-1);
|
|
}
|
|
DBUG_RETURN(findpos+1);
|
|
} /* find_type */
|
|
|
|
|
|
/**
|
|
Get name of type nr
|
|
|
|
@note
|
|
first type is 1, 0 = empty field
|
|
*/
|
|
|
|
void make_type(register char * to, register uint nr,
|
|
register TYPELIB *typelib)
|
|
{
|
|
DBUG_ENTER("make_type");
|
|
if (!nr)
|
|
to[0]=0;
|
|
else
|
|
(void) strmov(to,get_type(typelib,nr-1));
|
|
DBUG_VOID_RETURN;
|
|
} /* make_type */
|
|
|
|
|
|
/**
|
|
Get type
|
|
|
|
@note
|
|
first type is 0
|
|
*/
|
|
|
|
const char *get_type(TYPELIB *typelib, uint nr)
|
|
{
|
|
if (nr < (uint) typelib->count && typelib->type_names)
|
|
return(typelib->type_names[nr]);
|
|
return "?";
|
|
}
|
|
|
|
|
|
/**
|
|
Create an integer value to represent the supplied comma-seperated
|
|
string where each string in the TYPELIB denotes a bit position.
|
|
|
|
@param x string to decompose
|
|
@param lib TYPELIB (struct of pointer to values + count)
|
|
@param err index (not char position) of string element which was not
|
|
found or 0 if there was no error
|
|
|
|
@retval
|
|
a integer representation of the supplied string
|
|
*/
|
|
|
|
my_ulonglong find_typeset(char *x, TYPELIB *lib, int *err)
|
|
{
|
|
my_ulonglong result;
|
|
int find;
|
|
char *i;
|
|
DBUG_ENTER("find_set");
|
|
DBUG_PRINT("enter",("x: '%s' lib: 0x%lx", x, (long) lib));
|
|
|
|
if (!lib->count)
|
|
{
|
|
DBUG_PRINT("exit",("no count"));
|
|
DBUG_RETURN(0);
|
|
}
|
|
result= 0;
|
|
*err= 0;
|
|
while (*x)
|
|
{
|
|
(*err)++;
|
|
i= x;
|
|
while (*x && !is_field_separator(*x))
|
|
x++;
|
|
if (x[0] && x[1]) /* skip separator if found */
|
|
x++;
|
|
if ((find= find_type(i, lib, FIND_TYPE_COMMA_TERM) - 1) < 0)
|
|
DBUG_RETURN(0);
|
|
result|= (ULL(1) << find);
|
|
}
|
|
*err= 0;
|
|
DBUG_RETURN(result);
|
|
} /* find_set */
|
|
|
|
|
|
/**
|
|
Create a copy of a specified TYPELIB structure.
|
|
|
|
@param root pointer to a MEM_ROOT object for allocations
|
|
@param from pointer to a source TYPELIB structure
|
|
|
|
@retval
|
|
pointer to the new TYPELIB structure on successful copy
|
|
@retval
|
|
NULL otherwise
|
|
*/
|
|
|
|
TYPELIB *copy_typelib(MEM_ROOT *root, TYPELIB *from)
|
|
{
|
|
TYPELIB *to;
|
|
uint i;
|
|
|
|
if (!from)
|
|
return NULL;
|
|
|
|
if (!(to= (TYPELIB*) alloc_root(root, sizeof(TYPELIB))))
|
|
return NULL;
|
|
|
|
if (!(to->type_names= (const char **)
|
|
alloc_root(root, (sizeof(char *) + sizeof(int)) * (from->count + 1))))
|
|
return NULL;
|
|
to->type_lengths= (unsigned int *)(to->type_names + from->count + 1);
|
|
to->count= from->count;
|
|
if (from->name)
|
|
{
|
|
if (!(to->name= strdup_root(root, from->name)))
|
|
return NULL;
|
|
}
|
|
else
|
|
to->name= NULL;
|
|
|
|
for (i= 0; i < from->count; i++)
|
|
{
|
|
if (!(to->type_names[i]= strmake_root(root, from->type_names[i],
|
|
from->type_lengths[i])))
|
|
return NULL;
|
|
to->type_lengths[i]= from->type_lengths[i];
|
|
}
|
|
to->type_names[to->count]= NULL;
|
|
to->type_lengths[to->count]= 0;
|
|
|
|
return to;
|
|
}
|
|
|
|
|
|
static const char *on_off_default_names[]= { "off","on","default", 0};
|
|
static TYPELIB on_off_default_typelib= {array_elements(on_off_default_names)-1,
|
|
"", on_off_default_names, 0};
|
|
|
|
/**
|
|
Parse a TYPELIB name from the buffer
|
|
|
|
@param lib Set of names to scan for.
|
|
@param strpos INOUT Start of the buffer (updated to point to the next
|
|
character after the name)
|
|
@param end End of the buffer
|
|
|
|
@note
|
|
The buffer is assumed to contain one of the names specified in the TYPELIB,
|
|
followed by comma, '=', or end of the buffer.
|
|
|
|
@retval
|
|
0 No matching name
|
|
@retval
|
|
>0 Offset+1 in typelib for matched name
|
|
*/
|
|
|
|
static uint parse_name(const TYPELIB *lib, const char **strpos, const char *end)
|
|
{
|
|
const char *pos= *strpos;
|
|
uint find= find_type(pos, lib, FIND_TYPE_COMMA_TERM);
|
|
for (; pos != end && *pos != '=' && *pos !=',' ; pos++);
|
|
*strpos= pos;
|
|
return find;
|
|
}
|
|
|
|
/**
|
|
Parse and apply a set of flag assingments
|
|
|
|
@param lib Flag names
|
|
@param default_name Number of "default" in the typelib
|
|
@param cur_set Current set of flags (start from this state)
|
|
@param default_set Default set of flags (use this for assign-default
|
|
keyword and flag=default assignments)
|
|
@param str String to be parsed
|
|
@param length Length of the string
|
|
@param err_pos OUT If error, set to point to start of wrong set string
|
|
NULL on success
|
|
@param err_len OUT If error, set to the length of wrong set string
|
|
|
|
@details
|
|
Parse a set of flag assignments, that is, parse a string in form:
|
|
|
|
param_name1=value1,param_name2=value2,...
|
|
|
|
where the names are specified in the TYPELIB, and each value can be
|
|
either 'on','off', or 'default'. Setting the same name twice is not
|
|
allowed.
|
|
|
|
Besides param=val assignments, we support the "default" keyword (keyword
|
|
#default_name in the typelib). It can be used one time, if specified it
|
|
causes us to build the new set over the default_set rather than cur_set
|
|
value.
|
|
|
|
@note
|
|
it's not charset aware
|
|
|
|
@retval
|
|
Parsed set value if (*errpos == NULL), otherwise undefined
|
|
*/
|
|
|
|
my_ulonglong find_set_from_flags(const TYPELIB *lib, uint default_name,
|
|
my_ulonglong cur_set, my_ulonglong default_set,
|
|
const char *str, uint length,
|
|
char **err_pos, uint *err_len)
|
|
{
|
|
const char *end= str + length;
|
|
my_ulonglong flags_to_set= 0, flags_to_clear= 0, res;
|
|
my_bool set_defaults= 0;
|
|
|
|
*err_pos= 0; /* No error yet */
|
|
if (str != end)
|
|
{
|
|
const char *start= str;
|
|
for (;;)
|
|
{
|
|
const char *pos= start;
|
|
uint flag_no, value;
|
|
|
|
if (!(flag_no= parse_name(lib, &pos, end)))
|
|
goto err;
|
|
|
|
if (flag_no == default_name)
|
|
{
|
|
/* Using 'default' twice isn't allowed. */
|
|
if (set_defaults)
|
|
goto err;
|
|
set_defaults= TRUE;
|
|
}
|
|
else
|
|
{
|
|
my_ulonglong bit= (1ULL << (flag_no - 1));
|
|
/* parse the '=on|off|default' */
|
|
if ((flags_to_clear | flags_to_set) & bit ||
|
|
pos >= end || *pos++ != '=' ||
|
|
!(value= parse_name(&on_off_default_typelib, &pos, end)))
|
|
goto err;
|
|
|
|
if (value == 1) /* this is '=off' */
|
|
flags_to_clear|= bit;
|
|
else if (value == 2) /* this is '=on' */
|
|
flags_to_set|= bit;
|
|
else /* this is '=default' */
|
|
{
|
|
if (default_set & bit)
|
|
flags_to_set|= bit;
|
|
else
|
|
flags_to_clear|= bit;
|
|
}
|
|
}
|
|
if (pos >= end)
|
|
break;
|
|
|
|
if (*pos++ != ',')
|
|
goto err;
|
|
|
|
start=pos;
|
|
continue;
|
|
err:
|
|
*err_pos= (char*)start;
|
|
*err_len= end - start;
|
|
break;
|
|
}
|
|
}
|
|
res= set_defaults? default_set : cur_set;
|
|
res|= flags_to_set;
|
|
res&= ~flags_to_clear;
|
|
return res;
|
|
}
|
|
|