diff options
| -rw-r--r-- | mysql-test/r/sp.result | 10 | ||||
| -rw-r--r-- | mysql-test/t/sp.test | 18 | ||||
| -rw-r--r-- | sql/field.cc | 12 | ||||
| -rw-r--r-- | sql/field.h | 10 |
4 files changed, 48 insertions, 2 deletions
diff --git a/mysql-test/r/sp.result b/mysql-test/r/sp.result index be21251d92e..e788d30a14b 100644 --- a/mysql-test/r/sp.result +++ b/mysql-test/r/sp.result @@ -6662,6 +6662,16 @@ drop procedure p1; drop function f1; drop view v1; drop table t1; +drop procedure if exists `p2` $ +create procedure `p2`(in `a` text charset utf8) +begin +declare `pos` int default 1; +declare `str` text charset utf8; +set `str` := `a`; +select substr(`str`, `pos`+ 1 ) into `str`; +end $ +call `p2`('s s s s s s'); +drop procedure `p2`; # ------------------------------------------------------------------ # -- End of 5.0 tests # ------------------------------------------------------------------ diff --git a/mysql-test/t/sp.test b/mysql-test/t/sp.test index 87ab1d2f0d9..21ca2528e4f 100644 --- a/mysql-test/t/sp.test +++ b/mysql-test/t/sp.test @@ -7818,6 +7818,24 @@ drop function f1; drop view v1; drop table t1; +# +# Bug#38469 invalid memory read and/or crash with utf8 text field, stored procedure, uservar +# +delimiter $; +--disable_warnings +drop procedure if exists `p2` $ +--enable_warnings +create procedure `p2`(in `a` text charset utf8) +begin + declare `pos` int default 1; + declare `str` text charset utf8; + set `str` := `a`; + select substr(`str`, `pos`+ 1 ) into `str`; +end $ +delimiter ;$ +call `p2`('s s s s s s'); +drop procedure `p2`; + --echo # ------------------------------------------------------------------ --echo # -- End of 5.0 tests --echo # ------------------------------------------------------------------ diff --git a/sql/field.cc b/sql/field.cc index d840034f8dc..3d3f698f912 100644 --- a/sql/field.cc +++ b/sql/field.cc @@ -6992,8 +6992,18 @@ int Field_blob::store(const char *from,uint length,CHARSET_INFO *cs) return 0; } - if (from == value.ptr()) + /* + If the 'from' address is in the range of the temporary 'value'- + object we need to copy the content to a different location or it will be + invalidated when the 'value'-object is reallocated to make room for + the new character set. + */ + if (from >= value.ptr() && from <= value.ptr()+value.length()) { + /* + If content of the 'from'-address is cached in the 'value'-object + it is possible that the content needs a character conversion. + */ uint32 dummy_offset; if (!String::needs_conversion(length, cs, field_charset, &dummy_offset)) { diff --git a/sql/field.h b/sql/field.h index 7b2dda77095..2975719a591 100644 --- a/sql/field.h +++ b/sql/field.h @@ -1213,8 +1213,16 @@ public: class Field_blob :public Field_longstr { protected: + /** + The number of bytes used to represent the length of the blob. + */ uint packlength; - String value; // For temporaries + + /** + The 'value'-object is a cache fronting the storage engine. + */ + String value; + public: Field_blob(char *ptr_arg, uchar *null_ptr_arg, uchar null_bit_arg, enum utype unireg_check_arg, const char *field_name_arg, |