Fix for bug#21311: Possible stack overrun if SP has non-latin1 name

  
There was possible stack overrun in an edge case which handles invalid body of
a SP in mysql.proc . That should be case when mysql.proc has been changed
manually. Though, due to bug 21513, it can be exploited without having access
to mysql.proc only being able to create a stored routine.


mysql-test/r/sp.result:
  update result
mysql-test/t/sp.test:
  add a test case for the bug
sql/sp.cc:
  Fix stack overrun. This happen mostly when mysql.proc is damaged, though
  it's possible due to another bug which creates invalid SP body in mysql.proc
  (leading quote from a label being cut) to create stack overrun even without
  having direct access to mysql.proc

1 files changed, 11 insertions, 1 deletions

diff --git a/sql/sp.cc b/sql/sp.cc
index fc72822c15e..ff80833b23a 100644
--- a/sql/sp.cc
+++ b/sql/sp.cc
@@ -1633,7 +1633,17 @@ sp_cache_routines_and_add_tables_aux(THD *thd, LEX *lex,
          */
         if (!thd->net.report_error)
         {
-          char n[NAME_LEN*2+2];
+          /*
+            SP allows full NAME_LEN chars thus he have to allocate enough
+            size in bytes. Otherwise there is stack overrun could happen
+            if multibyte sequence is `name`. `db` is still safe because the
+            rest of the server checks agains NAME_LEN bytes and not chars.
+            Hence, the overrun happens only if the name is in length > 32 and
+            uses multibyte (cyrillic, greek, etc.)
+
+            !! Change 3 with SYSTEM_CHARSET_MBMAXLEN when it's defined.
+          */
+          char n[NAME_LEN*3*2+2];
 
           /* m_qname.str is not always \0 terminated */
           memcpy(n, name.m_qname.str, name.m_qname.length);