Bug #29723340: MYSQL SERVER CRASH AFTER SQL QUERY WITH DATA ?AST

Chandan Kunal · Chandan Kunal · commit 52d9daf06478 · 2019-06-25T13:01:37.000+05:30
Description:
============
MySQL server ends abruptly when a SELECT query with WHERE clause
having a predicate with a numeric value in the format of
(scientific) E-notation is executed.

ANALYSIS:
=========
my_strntoull10_8bit is invoked to convert user provided string to
unsigned longlong integer value. The 'exponent' variable is used to
store the value of exponent part of the user provided literal.
But the data type of 'exponent' variable is of int, whereas the
exponent part of the user provided literal is greater than INT_MAX.
Hence it results into garbage value into 'exponent' variable and then
it results the segmentation fault, when we access array d10 using
this garbage value.

SOLUTION:
=========
Change the data type variables used for storing the value of exponent
to longlong. Also check the value of exponent so that value greater
than LLONG_MAX is not processed further.

This is a partial backport of the patch for
  Bug#22824408 FIX MORE ERRORS REPORTED BY UBSAN - FOUR
and
  Bug#28505423 UBSAN: SIGNED INTEGER OVERFLOW IN
  MY_STRNTOULL10RND_8BIT

Change-Id: I773d048496b37d921b3504b1ec61b0a31f24ca77
diff --git a/strings/ctype-simple.c b/strings/ctype-simple.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1517,7 +1517,7 @@ my_strntoull10rnd_8bit(const CHARSET_INFO *cs MY_ATTRIBUTE((unused)),
     str++;
     if (str < end)
     {
-      int negative_exp, exponent;
+      longlong negative_exp, exponent;
       if ((negative_exp= (*str == '-')) || *str=='+')
       {
         if (++str == end)
@@ -1527,7 +1527,10 @@ my_strntoull10rnd_8bit(const CHARSET_INFO *cs MY_ATTRIBUTE((unused)),
            str < end && (ch= (uchar) (*str - '0')) < 10;
            str++)
       {
-        exponent= exponent * 10 + ch;
+        if (exponent <= (LLONG_MAX - ch) / 10)
+         exponent= exponent * 10 + ch;
+        else
+         goto ret_too_big;
       }
       shift+= negative_exp ? -exponent : exponent;
     }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/* Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.`
	`1`	`+/* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.`
`2`	`2`
`3`	`3`	`This program is free software; you can redistribute it and/or modify`
`4`	`4`	`it under the terms of the GNU General Public License as published by`
`@@ -1517,7 +1517,7 @@ my_strntoull10rnd_8bit(const CHARSET_INFO *cs MY_ATTRIBUTE((unused)),`
`1517`	`1517`	`str++;`
`1518`	`1518`	`if (str < end)`
`1519`	`1519`	`{`
`1520`		`- int negative_exp, exponent;`
	`1520`	`+ longlong negative_exp, exponent;`
`1521`	`1521`	`if ((negative_exp= (str == '-')) \|\| str=='+')`
`1522`	`1522`	`{`
`1523`	`1523`	`if (++str == end)`
`@@ -1527,7 +1527,10 @@ my_strntoull10rnd_8bit(const CHARSET_INFO *cs MY_ATTRIBUTE((unused)),`
`1527`	`1527`	`str < end && (ch= (uchar) (*str - '0')) < 10;`
`1528`	`1528`	`str++)`
`1529`	`1529`	`{`
`1530`		`- exponent= exponent * 10 + ch;`
	`1530`	`+ if (exponent <= (LLONG_MAX - ch) / 10)`
	`1531`	`+ exponent= exponent * 10 + ch;`
	`1532`	`+ else`
	`1533`	`+ goto ret_too_big;`
`1531`	`1534`	`}`
`1532`	`1535`	`shift+= negative_exp ? -exponent : exponent;`
`1533`	`1536`	`}`